problems with pam_smbpass

Steve Langasek vorlon at
Fri Jul 20 19:51:07 GMT 2001

Hello Bartlomiej,

On Fri, 20 Jul 2001, Bartlomiej Solarz-Niesluchowski wrote:

> I run SAMBA 2.2.1a (encrypted passwords) with smb_pass 0.7.5 on RH 7.1
> (i386) and I have problem with option try_first_pass

> When I change system-auth:
> [root at oceanic pam.d]# more system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/
> auth        sufficient    /lib/security/ likeauth nullok
> auth        required      /lib/security/

> account     required      /lib/security/

> password    required      /lib/security/ retry=3
> password    required    /lib/security/ nullok use_authtok try_first_pass md5 shadow
> password   required    /lib/security/ nullok use_authtok try_first_pass smbconf=/etc/samba/smb.conf

> session     required      /lib/security/
> session     required      /lib/security/

> the password changing procedure look like (user has the same UNIX/SMB
> passwords):
> [solarz at oceanic solarz]$ passwd
> Changing password for solarz
> (current) UNIX password:
> New UNIX password:
> Retype new UNIX password:
> No password supplied
> passwd: Authentication token manipulation error

> and after this UNIX password is changed but SMB password NO.

> PLEASE - somebody help me - I turn all debug but I do not see anything
> interesting - i check many combination of system-auth but it looks like
> option use_authtok and try_first_pass does not work on pam_smbpass module.....

There is a bug in all released versions of Linux-PAM which prevents you from
being able to stack any modules after pam_unix using the use_authtok
parameter.  Linux-PAM 0.76 will include a fixed version of pam_unix; in the
meantime you can use the CVS version of pam_unix available from sourceforge,
or you can make this work by reversing the order of the modules in your PAM

password    required    /lib/security/ retry=3
password    required    /lib/security/ nullok use_authtok \
password    required    /lib/security/ nullok use_authtok \
                           try_first_pass md5 shadow

This should work, with the one side-effect that in extreme failure cases, the
smbpasswd file may be updated and the Unix password file may not, rather than
the other way around.

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list