Brad Langhorst brad at
Tue May 15 23:28:35 GMT 2001

> However, when you want ALL authentication modules to say 'YES' before
> things procede, you need to make them all 'required'.  But if you
> 'require' pam_deny, then they will all fail.  So you remove the
> pam_deny, knowing that the user is 'required' to pass both pam_smbpass
> and pam_unix in any case.
> Hope this clears it up,
very much so!
The multiple sufficient lines had me all screwed up - now i think i 
understand that those only fail because we are changing the password.

After your change and making a symlink to smbpasswd in /etc (from 
/etc/samba/smbpasswd) things seem to be working
with one caveat...

when a user types passwd  he is prompted for both 
the old unix password AND the old samba password.  

This is inconvenient so I've tried a couple of things to avoid it.
Putting "use_first_pass" on the smbpass causes the password 
change to fail with
"password - (old) token not obtained" 
if smbpass is aboce pam_unix

it fails saying "No password supplied" if it's below.

Is there a way to fix that final quirk?

thanks for your help!



More information about the samba-technical mailing list