| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On Thursday 08 April 2004 15:42, Volkov Peter Alexandrovich wrote: |
| 5 |
> Hi. |
| 6 |
> |
| 7 |
> I have Samba server. I'd like to use it as WINS server and, as this |
| 8 |
> computer is only samba server, so it's a good idea to make it local |
| 9 |
> master browser. It's Ok with configuration of PAM, but some time after |
| 10 |
> server was up users became to blame me for bad network browsing. I |
| 11 |
> blame PAM. |
| 12 |
> |
| 13 |
> The first sing was during ssh login. It takes long time to connect on |
| 14 |
> a absolutly free server! Then during system startup after starting |
| 15 |
> last service everything hangs on >20 seconds and only after this I can |
| 16 |
> see login invitation. |
| 17 |
> |
| 18 |
> Yesterday I rebuilded system from stage 3, and for 1 day everything |
| 19 |
> worked very fast (as it must to work) but now again this delay doesn't |
| 20 |
> allow users to browse in a normal way (As this computer is local |
| 21 |
> master browser (NBT)). |
| 22 |
> |
| 23 |
> A little experiment to understand that it is really PAM. I've started |
| 24 |
> sshd -d to see what is going on. So: file-server root # sshd -d |
| 25 |
> debug1: sshd version OpenSSH_3.7.1p2 |
| 26 |
> debug1: read PEM private key done: type RSA |
| 27 |
> debug1: private host key: #0 type 1 RSA |
| 28 |
> debug1: read PEM private key done: type DSA |
| 29 |
> debug1: private host key: #1 type 2 DSA |
| 30 |
> socket: Address family not supported by protocol |
| 31 |
> debug1: Bind to port 22 on 0.0.0.0. |
| 32 |
> Server listening on 0.0.0.0 port 22. |
| 33 |
> debug1: Server will not fork when running in debugging mode. |
| 34 |
> |
| 35 |
> At this point server is waiting for connections... then I'm trying to |
| 36 |
> connect : |
| 37 |
> |
| 38 |
> Connection from 172.16.0.1 port 32781 |
| 39 |
> debug1: Client protocol version 2.0; client software version |
| 40 |
> OpenSSH_3.7.1p2 debug1: match: OpenSSH_3.7.1p2 pat OpenSSH* |
| 41 |
> debug1: Enabling compatibility mode for protocol 2.0 |
| 42 |
> debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2 |
| 43 |
> debug1: permanently_set_uid: 22/22 |
| 44 |
> debug1: list_hostkey_types: ssh-rsa,ssh-dss |
| 45 |
> debug1: SSH2_MSG_KEXINIT sent |
| 46 |
> debug1: SSH2_MSG_KEXINIT received |
| 47 |
> debug1: kex: client->server aes128-cbc hmac-md5 none |
| 48 |
> debug1: kex: server->client aes128-cbc hmac-md5 none |
| 49 |
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received |
| 50 |
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent |
| 51 |
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT |
| 52 |
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent |
| 53 |
> debug1: SSH2_MSG_NEWKEYS sent |
| 54 |
> debug1: expecting SSH2_MSG_NEWKEYS |
| 55 |
> debug1: SSH2_MSG_NEWKEYS received |
| 56 |
> debug1: KEX done |
| 57 |
> debug1: userauth-request for user root service ssh-connection method |
| 58 |
> none debug1: attempt 0 failures 0 |
| 59 |
> debug1: PAM: initializing for "root" |
| 60 |
> |
| 61 |
> At this point process stops on >20 seconds and then with the next |
| 62 |
> strings of text the password promt was show to me... |
| 63 |
> |
| 64 |
> As Samba uses PAM for authentification for now I am sure that it is |
| 65 |
> PAM that slows down the whole windows networking. |
| 66 |
> |
| 67 |
> I have 4 boxes with identical configuration (although the hardware |
| 68 |
> differs a bit) but this happens only on one of them. |
| 69 |
> |
| 70 |
> How to speedup PAM? How can I find out more details about problem? |
| 71 |
|
| 72 |
How is your pam authentication set up? What are the contents |
| 73 |
of /etc/pam.d/sshd, /etc/pam.d/system-auth |
| 74 |
and /etc/pam.d/system-auth-winbind |
| 75 |
|
| 76 |
If you use system-auth-winbind. Then don't use pam authentication for |
| 77 |
samba. Also in general using standard authentication for samba is quite |
| 78 |
insecure. It seems that the problem is caused by some kind of |
| 79 |
authentication loop. |
| 80 |
|
| 81 |
Paul |
| 82 |
|
| 83 |
- -- |
| 84 |
Paul de Vrieze |
| 85 |
Gentoo Developer |
| 86 |
Mail: pauldv@g.o |
| 87 |
Homepage: http://www.devrieze.net |
| 88 |
-----BEGIN PGP SIGNATURE----- |
| 89 |
Version: GnuPG v1.2.4 (GNU/Linux) |
| 90 |
|
| 91 |
iD8DBQFAdVo4bKx5DBjWFdsRAj6gAJ9sMB20ydkmtjFGS5wwVZ1w5+kZogCbB6Z1 |
| 92 |
IV3B2LdalNYuFeoYQ1dSAuk= |
| 93 |
=JnzT |
| 94 |
-----END PGP SIGNATURE----- |
| 95 |
|
| 96 |
-- |
| 97 |
gentoo-security@g.o mailing list |
Archives