pam_smbpass

Steve Langasek vorlon at netexpress.net
Wed May 16 05:34:48 GMT 2001 

Hi Brad,

On Tue, 15 May 2001, Brad Langhorst wrote:


> > However, when you want ALL authentication modules to say 'YES' before
> > things procede, you need to make them all 'required'.  But if you
> > 'require' pam_deny, then they will all fail.  So you remove the
> > pam_deny, knowing that the user is 'required' to pass both pam_smbpass
> > and pam_unix in any case.

> > Hope this clears it up,
> very much so!
> The multiple sufficient lines had me all screwed up - now i think i
> understand that those only fail because we are changing the password.
> thanks!

> After your change and making a symlink to smbpasswd in /etc (from
> /etc/samba/smbpasswd) things seem to be working
> with one caveat...

> when a user types passwd  he is prompted for both
> the old unix password AND the old samba password.

> This is inconvenient so I've tried a couple of things to avoid it.
> Putting "use_first_pass" on the smbpass causes the password
> change to fail with
> "password - (old) token not obtained"
> if smbpass is aboce pam_unix

> it fails saying "No password supplied" if it's below.

> Is there a way to fix that final quirk?

You're running into a bug in the pam_unix module which I finally caught and
squashed recently while testing pam_smbpass: released versions of pam_unix
will not pass authentication tokens on to other modules in the stack.  Any
password modules that share a password with pam_unix would need to be stacked
ahead of it.

A fixed version of pam_unix can be found in the Linux-PAM CVS tree at
SourceForge.

With a well-behaved pam_unix module, the PAM config found in
samples/password-sync should do what you want:

auth       requisite        pam_nologin.so
auth       required         pam_unix.so
account    required         pam_unix.so
password   requisite        pam_cracklib.so retry=3
password   requisite        pam_unix.so shadow md5 use_authtok try_first_pass
password   required         pam_smbpass.so nullok use_authtok try_first_pass
session    required         pam_unix.so

If you're stuck using an older version of pam_unix, you can reverse the order
of pam_unix and pam_smbpass.  The disadvantage there is that an extreme
failure scenario could have the user's smbpasswd updated, but not the Unix
password.  Our own local policy still prefers that the Unix password always be
updated at all costs -- if something has to break, better that it be the
smbpasswd.

Cheers,
Steve Langasek
postmodern programmer

More information about the samba-technical mailing list