Andrew Bartlett abartlet at
Tue May 15 23:12:35 GMT 2001

Brad Langhorst wrote:
> > Make 'sufficient' 'required' for the pam_unix line.  Whats happening
> > here is that it reaches sufficient and bails, as there is nothing else
> > to do, whats been done is 'sufficient'.  You will need to drop the
> > pam_deny line too, else it will all just be denied.
> yeah that's what I thought ...
> however when i make that change I get an
> authentication token manipulation error.
> (whether smbpass above, below or not present at all..)
> don't understant that bit about the pam_deny line.
> I didn't write that system-auth , just stuck in a smbpass line...
> any idea why?
> brad

OK, now for a quick lesson in pam_stack and RedHat's particular choice
of authentication setup:

- All programs call pam_stack
- Pam stack then walks system-auth, until it has the user authenticated.
  - Standard PAM rules apply
  - Sufficient prevents futher processing

Its quite valid to have more than one authentication module listed, for
example you could have the local /etc/passwd and LDAP, for example.  The
pam_deny line is in-case there are NO authentcation modules, or they all
fail - to ensure the user is not accidentaly let in.

However, when you want ALL authentication modules to say 'YES' before
things procede, you need to make them all 'required'.  But if you
'require' pam_deny, then they will all fail.  So you remove the
pam_deny, knowing that the user is 'required' to pass both pam_smbpass
and pam_unix in any case.  

Hope this clears it up,
Andrew Bartlett

Andrew Bartlett
abartlet at

More information about the samba-technical mailing list