samba pam_ldap password syncing pam

Steve Langasek vorlon at
Thu Jan 9 15:22:13 GMT 2003

On Thu, Jan 09, 2003 at 10:53:32AM +0000, bryan hunt wrote:
> Forgive the subject line, I wanted it to turn up if someone 
> was googling.

That being the case, I feel I should note for the benefit of googlers
that pam_pwdb is long-unmaintained, so it's not necessarily a good choice
for a password module; and that the below configuration is tailored for
an environment where Samba is serving connections to both LDAP users and
non-LDAP users, both using (apparently) plaintext passwords.

In our environment, for instance, any user not in LDAP should *not* be
able to authenticate to the server, since only non-user system accounts
are configured in our local password file.

> I have found that the following combination works well for 
> password syncing using pam when the system is configured to 
> use ldap for user authentication ( pam_ldap ).

> I hope this is of use to someone.

> /etc/pam.d/samba

> #%PAM-1.0
> auth       sufficient   /lib/security/
> auth       required     /lib/security/ use_first_pass
> account    sufficient   /lib/security/
> account    required     /lib/security/
> password   sufficient   /lib/security/
> password   required     /lib/security/ try_first_pass

FWIW, this last line might work better as:

  password   required     /lib/security/ use_authtok try_first_pass

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list