password syncing using pam when using ldap for system auth

Andrew Bartlett abartlet at
Sat Jan 4 02:44:01 GMT 2003

On Sat, 2003-01-04 at 00:56, bryan hunt wrote:
>  I am using samba and ldap.
>  LDAP is used for linux login and imap authentication.
>  Samba is used for domain login and file sharing.
>  Everything is up and running with one exception
>  When I try to do a password change from a windows machine I
>  get the following error ( repeated about 8 times )
>  [2003/01/02 18:51:48, 0] lib/util_sec.c:assert_gid(114)
>    Failed to set gid privileges to (0,65534) now set to (0,-1) uid=(0,65534)
>  [2003/01/02 18:51:48, 0] lib/util.c:smb_panic(1094)
>    PANIC: failed to set gid

I would look into if you have any groups with gid == -1, particularly
for the 'nobody' user.  This could be causing a problem here. 

>  If I get rid of the password syncing option in the smb.conf
>  the password gets changed with no problems but with
>  the
>   pam password change = yes
>  option set in the file the user password change fails .

I don't think this has any relation to the previous errors.  Instead,
it's due to the way Samba changes passwords.

>  I want to get the password syncing working because it would be
>  cool for my users to have a single password for mail/unix stuff etc.
>  Anyone encountered this before ? I've done a lot of googling and searched
>  the bugs database but nobody seems to have encountered this problem before.
>  I can change a users unix ( ldap )  password straight from the command line
>  (using the passwd program) without any problems.

Are you changing their password, or setting their password?  The
different matters, because Samba can only *set* the password, it does
not know the old password.  

On /etc/passwd based systems, samba can do this, because it becomes root
for the operation.  On LDAP, it's more difficult - it needs to convince
the LDAP server that it has the right to set the password.

>  This is the /etc/pam.d/passwd configuration that I have
>  set up ....
>  #%PAM-1.0
>  auth       sufficient   /lib/security/
>  auth       required     /lib/security/ use_first_pass
>  account    sufficient   /lib/security/
>  account    required     /lib/security/
>  # I commented this out in case samba couldn't handle it ...
>  #password   required    /lib/security/ retry=3
>  password   sufficient   /lib/security/
>  password   required     /lib/security/ try_first_pass
>  This is the /etc/pam.d/samba config ....
>  #%PAM-1.0
>  auth       sufficient   /lib/security/
>  auth       required     /lib/security/ try_first_pass
>  account    sufficient   /lib/security/
>  account    required     /lib/security/
>  I also tried this config .....
>  #%PAM-1.0
>  auth       required     /lib/security/
>  auth       required     /lib/security/ service=system-auth
>  account    required     /lib/security/ service=system-auth
>  session    required     /lib/security/ service=system-auth
>  password   required     /lib/security/ service=system-auth
>  No errors with that one but the password remained unchanged ....
>  Any ideas guys ? I reckon I must have screwed up the pam configuration
>  for /etc/pam.d/samba but I am no pam expert so I am currently thrashing
>  arround in the dark ....

The big thing about syncing with PAM is that you must set the manager
password in some config file, so that pam_ldap can make an
administrative connection to the LDAP server.  See the pam_ldap
documentation for details.

However, we have made this a bit easier in Samba 3.0 - there is a new
option called 'ldap password sync' that works with Samba's existing
pdb_ldap to set the user's password, using Samba's administrative

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list