Andrew Bartlett abartlet at
Tue May 15 22:54:59 GMT 2001

Brad Langhorst wrote:
> I've searched the archives and found some references to pam_smbpass
> but nothing helpful.
> I want to do the same thing lots of other people want to do with samba...
> keep my unix password db in sync with the samba password db.
> So on the samba side i have it thing set up to chat to the system and update
> the unix password - works fine.
> I want to make passwd do the same thing from the unix side - so I searched
> around and it seems that pam_smbpass is designed for just this situation.
> I downloaded the rpm (redhat 7 machine) and installed with no trouble.
> then I put it into pam.d (system-auth)
> auth        sufficient    /lib/security/ likeauth nullok md5 shadow
> auth        required      /lib/security/
> account     sufficient    /lib/security/
> account     required      /lib/security/
> password    required      /lib/security/ retry=3
> password    sufficient   /lib/security/ nullok use_authtok md5
> shadow
> password    required      /lib/security/ nullok use_authtok
> try_first_pass
> password    required      /lib/security/
> session     required      /lib/security/
> session     required      /lib/security/
> system-auth is used like this in redhat (from passwd)
> auth       required     /lib/security/ service=system-auth
> account    required     /lib/security/ service=system-auth
> password   required     /lib/security/ service=system-auth
> but only the unix password is updated
> no errors in the logs, no screen output just no update
> I saw a post about the position in the stack so i tried moving smbpass up one
> line.  I get this message if I do that.
> passwd jsk
> Changing password for user jsk
> passwd: User not known to the underlying authentication module.
> How can I figure out what is going on?  Is there some kind of debug flag
> (didn't see it in the docs...)
> thanks for any nudges in the right direction.
> brad

Make 'sufficient' 'required' for the pam_unix line.  Whats happening
here is that it reaches sufficient and bails, as there is nothing else
to do, whats been done is 'sufficient'.  You will need to drop the
pam_deny line too, else it will all just be denied.

Hope this makes sence.

Andrew Bartlett

Andrew Bartlett
abartlet at

More information about the samba-technical mailing list