pam_smbpass and LDAP....

Steve Langasek vorlon at
Thu Jul 25 12:25:02 GMT 2002

On Thu, Jul 25, 2002 at 06:34:11PM +0200, Bartlomiej Solarz-Niesluchowski wrote:
> At 11:05 2002-07-25 -0500, Steve Langasek wrote:
> >I've checked a pam_smbpass binary built from CVS HEAD, and it is
> >correctly linked against libldap; libldap provides the ldap_value_free
> >function.  If you're seeing different behavior, either -lldap is not
> >being correctly added to the LIBS line when Samba builds, or your
> >libldap is missing some symbols that pam_smbpass is expecting.

> in Makefile:
> LIBS=-lacl  -ldl -lnsl -lpam -lpopt
> LDAPLIBS=-lresolv -lldap -llber

> bin/ $(PAM_SMBPASS_OBJ) bin/.dummy
>         @echo Linking shared library $@
>         $(SHLD) -shared -o $@ $(PAM_SMBPASS_OBJ) $(LDFLAGS) -lpam 
> $(DYNEXP) $(LIBS) -lc \
>                 -Wl,-soname=`basename $@`

> I changed to:
> bin/ $(PAM_SMBPASS_OBJ) bin/.dummy
>         @echo Linking shared library $@
>         $(SHLD) -shared -o $@ $(PAM_SMBPASS_OBJ) $(LDFLAGS) -lpam 
> $(DYNEXP) $(LIBS) $(LDAPLIBS) -lc \
>                 -Wl,-soname=`basename $@`

Ok. Straightforward.

> Module load correctly (no messages in messages), but it does not work 
> correctly:
> portraits:~$ passwd
> Changing password for user tester.
> Enter login(LDAP) password:
> Changing password for tester
> Current SMB password:
> passwd: Authentication token manipulation error

> (when i try smbpasswd it works)

> system-auth (RH 73)
> password    required      /lib/security/ retry=3 type=
> password    sufficient    /lib/security/ nullok use_authtok md5 
> shadow
> password    required    /lib/security/ use_authtok
> password   required    /lib/security/ smbconf=/etc/samba/smb.conf
> password    required      /lib/security/

> (system-auth seems be ok because I use it on different machine and it works 
> - but on different machine is no LDAP)....

Ok, this is the sequence of events you've specified:

- cracklib is required
- if pam_unix succeeds, we consider it a success.
- if pam_unix *fails*, we consider it a failure, but we still try to
  change other passwords (pam_ldap and pam_smbpass).

I would recommend that you take a look at the example PAM configurations
that ship with Samba in the source/pam_smbpass directory.  I'm not
entirely certain what effect you're trying to achieve, but I suspect one
of the sample configurations will be closer to what you want than what
you currently have.

BTW, do you already have SMB passwords loaded into LDAP for your users?
If not, you will definitely need to add the 'nullok' option for

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list