samba pam_ldap password syncing pam
Steve Langasek
vorlon at netexpress.net
Thu Jan 9 15:22:13 GMT 2003
On Thu, Jan 09, 2003 at 10:53:32AM +0000, bryan hunt wrote:
> Forgive the subject line, I wanted it to turn up if someone
> was googling.
That being the case, I feel I should note for the benefit of googlers
that pam_pwdb is long-unmaintained, so it's not necessarily a good choice
for a password module; and that the below configuration is tailored for
an environment where Samba is serving connections to both LDAP users and
non-LDAP users, both using (apparently) plaintext passwords.
In our environment, for instance, any user not in LDAP should *not* be
able to authenticate to the server, since only non-user system accounts
are configured in our local password file.
> I have found that the following combination works well for
> password syncing using pam when the system is configured to
> use ldap for user authentication ( pam_ldap ).
> I hope this is of use to someone.
> /etc/pam.d/samba
> #%PAM-1.0
> auth sufficient /lib/security/pam_ldap.so
> auth required /lib/security/pam_unix_auth.so use_first_pass
> account sufficient /lib/security/pam_ldap.so
> account required /lib/security/pam_unix_acct.so
> password sufficient /lib/security/pam_ldap.so
> password required /lib/security/pam_pwdb.so try_first_pass
FWIW, this last line might work better as:
password required /lib/security/pam_pwdb.so use_authtok try_first_pass
Regards,
--
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030109/9f4c7441/attachment.bin
More information about the samba-technical
mailing list