Steve Langasek vorlon at
Wed May 16 05:34:48 GMT 2001

Hi Brad,

On Tue, 15 May 2001, Brad Langhorst wrote:

> > However, when you want ALL authentication modules to say 'YES' before
> > things procede, you need to make them all 'required'.  But if you
> > 'require' pam_deny, then they will all fail.  So you remove the
> > pam_deny, knowing that the user is 'required' to pass both pam_smbpass
> > and pam_unix in any case.

> > Hope this clears it up,
> very much so!
> The multiple sufficient lines had me all screwed up - now i think i
> understand that those only fail because we are changing the password.
> thanks!

> After your change and making a symlink to smbpasswd in /etc (from
> /etc/samba/smbpasswd) things seem to be working
> with one caveat...

> when a user types passwd  he is prompted for both
> the old unix password AND the old samba password.

> This is inconvenient so I've tried a couple of things to avoid it.
> Putting "use_first_pass" on the smbpass causes the password
> change to fail with
> "password - (old) token not obtained"
> if smbpass is aboce pam_unix

> it fails saying "No password supplied" if it's below.

> Is there a way to fix that final quirk?

You're running into a bug in the pam_unix module which I finally caught and
squashed recently while testing pam_smbpass: released versions of pam_unix
will not pass authentication tokens on to other modules in the stack.  Any
password modules that share a password with pam_unix would need to be stacked
ahead of it.

A fixed version of pam_unix can be found in the Linux-PAM CVS tree at

With a well-behaved pam_unix module, the PAM config found in
samples/password-sync should do what you want:

auth       requisite
auth       required
account    required
password   requisite retry=3
password   requisite shadow md5 use_authtok try_first_pass
password   required nullok use_authtok try_first_pass
session    required

If you're stuck using an older version of pam_unix, you can reverse the order
of pam_unix and pam_smbpass.  The disadvantage there is that an extreme
failure scenario could have the user's smbpasswd updated, but not the Unix
password.  Our own local policy still prefers that the Unix password always be
updated at all costs -- if something has to break, better that it be the

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list