Samba and PAM

Eric Reischer emr at
Fri Mar 30 23:09:30 GMT 2001

>PAM has nothing to do with permissions or RID mapping. Samba will use PAM 
>for authentication when possible, which is only if you have configured it 
>not to use encrypted passwords. If you have encrypted passwords turned on 
>then Samba doesn't have access to the plaintext of the password and so it 
>can't pass the password on to the PAM module.

That did it.  It's going to my PAM kerberos module now.  But thus brings up 
another issue: Since I'm authenticating via PAM, the users that will be 
accessing the system are not in the /etc/passwd file.  Now since there will 
be over 1,500 people accessing this system, I don't want to have to 
maintain a huge passwd file.  The problem is, it appears as though before 
it tries to authenticate via PAM, something in pass_check.c tries to 
resolve the given username to a UID using /etc/passwd.  I can confirm this 
because I added a test account to /etc/passwd, except with a different 
password from my kerberos account, and it authenticated successfully (when 
I entered in my kerberos password at the prompt).  It seems that if I have 
the `force user` directive set, it should never need to look up the user's 
UID in the first place.  I could probably modify the code myself to replace 
all UID calls with a single variable, which I can set to whatever UID I 
want, but I was wondering if there was already a way to do that, and I'm 
just not finding it.


More information about the samba-technical mailing list