Changing a password using PAM as root.

Andrew Bartlett abartlet at
Wed May 2 08:47:19 GMT 2001

Steve Langasek wrote:
> Hi Jeremy,
> On Tue, 1 May 2001, Jeremy Allison wrote:
> > > as pam is returning PAM_AUTHTOK_RECOVER_ERR to me from
> > > the pam_chauthtok() call.
> > > smbd doesn't know the plaintext of the old password, but is
> > > running as root so shouldn't need to. Can anyone point me
> > > to some docs to learn the magic to make linux pam allow a
> > > password change as root without the old password (and yes
> > > I'm perusing the pam source code, haven't found it yet, which
> > > is why I'm asking here :-).
> > Ok - I've done more work on this - it looks like a particular
> > pam module issue. If I use in the password line
> > of my /etc/pam.d/samba file then the password change works.
> > If I use the (default I think on RedHat 6.2) of
> > then it fails.
> > Is this just a bug in that pam module ?
> This seems likely to be a bug either in the pam module itself, or in the
> documentation which fails to outline the module's expectations. :)  Is Samba
> running with uid=0,euid=0 when you invoke PAM?  There are so many ways for
> PAM modules to misinterpret and mishandle the uid settings, and far too few of
> them are limited to the theoretical.
> Steve Langasek
> postmodern programmer

Note that the reverse is similarly untested and needs some serious
debugging.  That is, when we have the plaintext I'm not sure we have
sufficient privilage to update the database, nor that the PAM module
knows that we are a normal user that needs the old password.  (We still
authenticate them against smbpasswd however.).

Andrew Bartlett
abartlet at
Andrew Bartlett
abartlet at

More information about the samba-technical mailing list