[Samba] PAM Module for SMB-LDAP

Bradley W. Langhorst brad at langhorst.com
Tue Jan 28 18:59:02 GMT 2003

On Tue, 2003-01-28 at 05:43, Matthias Eichler wrote:
> Hi Everybody,
> maybe we are just too stupid, but for me it seems that 
> there is some problem with holding passwords completely
> sync between *NIX-world and WIN-world when I use LDAP
> & Samba.
> If a user changes a password under Windows, with "passwd chat"
> the *NIX-Password (attribute: userPassword) can be changend
> very well besides the both Samba-LDAP-attributes lmPassword
> and ntPassword.
> But if a user from the *NIX-world wants to change his password
> over a service that uses PAM.D we have the following problem:
> pam_smbpass.so can authenticate UNIX Users via SMB-LDAP
> but it can not be used for "passwd" from UNIX-side!!!
> We read already the sourcecode and pam_smbpass.so always
> wants to change the smbpasswd-file, which is not be used
> for regular users in LDAP-mode...
i use pam smbpass for this...

here's my /etc/pam.d/passwd file

password requisite      pam_cracklib.so retry=3 minlen=6 difok=3 debug
password [user_unknown=ignore success=ok new_authtok_reqd=ok
ignore=ignore defau
lt=bad] pam_ldap.so use_first_pass
password required       pam_unix.so use_first_pass nullok md5 debug
password [user_unknown=ignore success=ok new_authtok_reqd=ok
ignore=ignore defau
lt=bad] pam_smbpass.so use_first_pass audit

I don't claim that file to be perfect but it does seem to work just fine
for me.

Im also using the ldap in the nsswitch.conf 

Bradley W. Langhorst <brad at langhorst.com>

More information about the samba mailing list