Andrew Bartlett abartlet at
Tue May 15 23:44:37 GMT 2001

Brad Langhorst wrote:
> > However, when you want ALL authentication modules to say 'YES' before
> > things procede, you need to make them all 'required'.  But if you
> > 'require' pam_deny, then they will all fail.  So you remove the
> > pam_deny, knowing that the user is 'required' to pass both pam_smbpass
> > and pam_unix in any case.
> >
> > Hope this clears it up,
> very much so!
> The multiple sufficient lines had me all screwed up - now i think i
> understand that those only fail because we are changing the password.
> thanks!
> After your change and making a symlink to smbpasswd in /etc (from
> /etc/samba/smbpasswd) things seem to be working
> with one caveat...
> when a user types passwd  he is prompted for both
> the old unix password AND the old samba password.
> This is inconvenient so I've tried a couple of things to avoid it.
> Putting "use_first_pass" on the smbpass causes the password
> change to fail with
> "password - (old) token not obtained"
> if smbpass is aboce pam_unix
> it fails saying "No password supplied" if it's below.
> Is there a way to fix that final quirk?
> thanks for your help!
> brad

I have:
password   optional     /lib/security/ use_first_pass

In my system-auth file.  The optional bit is to bring the password back
into line, checking only the unix password db.  But the bit your
interested in is the 'use_authtok'.  See if that helps.

Andrew Bartlett
abartlet at

More information about the samba-technical mailing list