Changing a password using PAM as root.

Steve Langasek vorlon at
Wed May 2 16:50:13 GMT 2001

On Wed, 2 May 2001, Andrew Bartlett wrote:

> Note that the reverse is similarly untested and needs some serious
> debugging.  That is, when we have the plaintext I'm not sure we have
> sufficient privilage to update the database, nor that the PAM module
> knows that we are a normal user that needs the old password.  (We still
> authenticate them against smbpasswd however.).

Honestly, there are never any guarantees you will be able to call
pam_chauthtok() successfully when there's no way to get additional information
from the user.  It all depends on the PAM modules used on the system.  You may
only need root privilege in order to change the password (pam_unix, pam_pwdb).
You may need the user's current password (pam_krb4, pam_krb5, pam_ldap?).  You
may also need to provide the user's grandmother's maiden name in order to
change passwords, in which case it'll never work from Samba (unless Samba can
prompt the user for this information during a password change? :).

This being the case, Samba should always 1) authenticate the user to its own
satisfaction before calling pam_chauthtok, 2) assume maximum system creds
(become_root()) before invoking PAM, and 3) be prepared to deal gracefully
with a permission denied error from the password changing function.

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list