[Samba] Use of pam_smbpass

Diego Rivera lrivera at racsa.co.cr
Fri Oct 25 04:26:01 GMT 2002


The way it works is something like this:

PAM uses either a global configuration file which specifies the module
configuration for each service (i.e., httpd, samba, login, xauth, pop,
imap, etc...the OLD way), or individual files within a directory - one
per service.  The directory is usually /etc/pam.d.  This is the new and
"preferred" (by me, at least! :) ) way of doing PAM configurations.

You would use pam_smbpass wherever needed to allow particular services
to sync /etc/shadow with samba passwords as needed. See the
configuration examples below to get an idea.  Also, you would activate
the "pam password change" and "unix password sync" options in smb.conf. 
You would also add a configuration file for the service "samba", such
that Samba knows what passwords to sync with its own (thanks to the
aforementioned parameters).

My setup is as follows:

- All PAM service configurations (exception noted below) use
pam_stack.so to forward operation to the "passwd" service (i.e., when
the "httpd" service requests a password change, the request is actually
done using the configuration for the "passwd" service).

- Only the "passwd" service configuration has the actual rules for
changing passwords (i.e, change it in ldap, samba, shadow, etc.).  I use
only ldap, not shadow, but I list them both here to illustrate.

- The only other module that has password configuration is (you guessed
it!) the samba module.  Its configuration excludes the config for
pam_smbpass, since Samba already does that for us - we just need to
cover the areas Samba doesn't cover by itself (i.e., ldap and shadow,
for example).

Here's an example with three config files (irrelevant areas ommitted for

auth ...
account ...
session ...
# This next line causes the service config to "include" the 
# config from the passwd service and execute it as part of its own
passwd required /lib/security/pam_stack.so service=passwd

auth ...
account ...
session ...
# enforce strong passwords
password required pam_cracklib.so .....
# change the LDAP password
password required pam_ldap.so ...
# change the /etc/shadow password
password required pam_unix.so ...
# change the Samba password
password required pam_smbpass.so ...
# Add others as needed
password ...

auth ...
account ...
session ...
# change the LDAP password
password required pam_ldap.so ...
# change the /etc/shadow password
password required pam_unix.so ...
# Add others as needed
password required ...
# Note the absence of pam_smbpass.so!!!  Samba already does this

This causes the following (note that all other PAM services use
pam_stack in the same fashion as the first config file, this avoids
having to configure password changes all over the place):

- When any service executes a password change outside Samba, the samba
password will be updated with the new value, along with all the other
named services like LDAP, Shadow, etc.  This is the case for any and all
services which do NOT rely on Samba for password maintenance (like, for
example, the /usr/bin/passwd program).

- When any service executes a password change THROUGH Samba, all the
*other* password repositories will also be kept in sync (thanks to the
third PAM configuration file and the smb.conf parameters I mentioned
before).  This is the case if your Samba box is doing password
maitenance, and a Samba client requests a password change going through

I hope this is specific enough to help you find your answer.  I would
refer you to the PAM Admin documentation for more details on PAM
operation (it's quite simple, really), and also to the Samba docs
pertaining to PAM operation.  If you're going to be messing with stuff
like this, you should read as much of both docs as you can - I did and
it paid off in the end!


Diego Rivera
Nomadic Solutions
"Taking Linux to the Next Level"
Cell: (506) 393-0772
E-mail: diego at nomadic-solutions.com

On Thu, 2002-10-24 at 20:39, fred pasteck wrote:
> Hi all.
> I've spent the last several days trying to get
> pam_smbpass working on my RH62 box with samba-2.2.x
> unsuccessfully, and hoped someone could help.
> I've tried versions 2.2.2 and 2.2.6, but I suspect
> it's perhaps a misunderstanding of what exactly
> pam_smbpass is used for.
> There are a few things I'm trying to do:
> - sync /etc/shadow with /etc/samba/smbpasswd
> - sync /etc/samba/smbpasswd with /etc/shadow
> So, if someone uses passwd to change their password it
> will automatically also update the samba password. If
> a windows user changes their password, it should also
> update /etc/shadow. Is this correct?
> There are several examples in the sample/ directory
> included with the samba source, but it is unclear
> where these files actually go. I'm not terribly
> familiar with PAM.
> Can someone forward me their working copies of the PAM
> config files that apply to do what I've described
> above?
> Even when enabling "debug level = 10" it doesn't
> appear like /etc/shadow is being consulted. I've also
> tried strace'ing "passwd username" and it never
> updates smbpasswd. Same when doing vice-versa.
> I've searched the net and there are mentions of
> various smb.conf config settings that are supposed to
> work, all of which I've tried to no avail. What are
> the known-good smb.conf settings necessary to make
> this happen?
> Is it necessary for the samba server to be a domain
> controller? Does it work successfully with modern
> encrypted passwords?
> Thanks,
> Fred
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list