[Samba] pam_smbpass

abartlet at dp.samba.org abartlet at dp.samba.org
Tue Aug 20 20:25:00 GMT 2002


On Wed, Aug 21, 2002 at 01:05:48AM -0400, Bradley W. Langhorst wrote:
> 
> Okay - I've got samba working as a PDC with and ldap backend.
> 
> I want to have some users not be in ldap (like the built in stuff like
> cyrus, mail, lp etc)
> 
> 
> I can get that to work with the pam_ldap and pam_unix but pam_smbpass 
> doesn't seem to return user_unknown as i expect for users who are not in
> the ldap database 
> 
> does this make sense?

Yes, this patch is correct.  I was under the impression that this had been
fixed, but I'll fix it in HEAD...

> --- pam_smb_passwd.c    12 Feb 2002 15:56:19 -0000      1.1.2.8
> +++ pam_smb_passwd.c    20 Aug 2002 23:41:57 -0000
> @@ -126,9 +126,9 @@
> 
>      /* obtain user record */
>      pdb_init_sam(&sampass);
> -    pdb_getsampwnam(sampass,user);
> +    /*pdb_getsampwnam(sampass,user);*/
> 
> -    if (sampass == NULL) {
> +    if (!pdb_getsampwnam(sampass,user)) {
>          _log_err( LOG_ALERT, "Failed to find entry for user %s.", user
> );
>          return PAM_USER_UNKNOWN;
>      }
> 
> I don't think there should be any difference between these two bits of
> code (and I've not yet tested it) but I don't understand why this is
> failing...

It depends on initialisation etc - if that call fails, it wont touch the 
sampass and the 'init' ensures it's not NULL.

> password requisite      pam_cracklib.so retry=3 minlen=6 difok=3 debug
> password [user_unknown=ignore success=ok new_authtok_reqd=ok
> ignore=ignore default=bad] pam_ldap.so use_first_pass
> password required       pam_unix.so use_first_pass nullok md5 debug
> password [user_unknown=ignore success=ok new_authtok_reqd=ok
> ignore=ignore default=bad] pam_smbpass.so use_first_pass audit

This looks this a useful config...

Andrew Bartlett



More information about the samba mailing list