./configure --with-pam_smbpass fails

Steve Langasek vorlon at netexpress.net
Thu May 10 15:42:33 GMT 2001 

On Thu, 10 May 2001, Shanker Balan wrote:

> CVS now compiles --with-pam_smbpass. ;)

> I am however not able to sync UNIX passwords after adding the following
> to smb.conf. I have removed the older chat based lines from smb.conf

>     pam password change = yes
>     UNIX password sync = yes

Side note: you'll want to turn off 'unix password sync'.

> I am using openldap-1.2.11-15 with pam-0.74-22 on a RHL 7.1 system.

> Snips from the samba logs:

> smb_pam_passchange_conv: Could not find reply for PAM prompt: Enter
> login(LDAP) password:
> PAM: unable to obtain the new authentication token - is password to
> weak?
> smb_pam_error_handler: PAM: Password Change Failed : Authentication
> token manipulation error
> smb_pam_passchange: PAM: Password Change Failed for user xxx!

> I can successfully change passwords using LDAP passwords using "passwd"
> as normal user.

> $ passwd
> Enter login(LDAP) password:
> New UNIX password:
> Retype new UNIX password:
> LDAP password information changed for foo
> passwd: all authentication tokens updated successfully

I see two problems here.  First, according to the current source, you need
to use the 'passwd chat' option in your smb.conf file to tell Samba how to
handle the prompts it gets from PAM modules.  The default value is

   *new*password* %n\n *new*password* %n\n *changed*

, which I think would need to be changed to something like

   New*password*\n*new*password*\n*changed*

.  However, the second problem is going to be the show-stopper here: the
current Samba password changing code is written expecting to only have to
provide PAM with the new password.  Since you're using pam_ldap, root has no
special privileges and must also provide the user's /old/ password during a
password change.  We may or may not have access to the old password at this
point, but at the very least the PAM code doesn't know how to supply it.

So the pam password changing code is not very usable yet, at least not for PAM
modules like pam_ldap.

Steve Langasek
postmodern programmer

More information about the samba-ntdom mailing list