[Samba] AD integration checklist

Don Meyer dlmeyer at uiuc.edu
Sat Dec 9 23:50:36 GMT 2006

At 07:58 PM 12/8/2006, simo wrote:
> > The one slight hiccup I am seeing is for console logins:   locally
> > defined users can log onto the console successfully --  if they use
> > there AD password, they are accepted on the first password prompt.
> >
> > However, if they use their locally defined password (shadow) at the
> > console, then they are subjected to a second password prompt each time
> > -- and it doesn't matter whether they enter the local password
> > correctly on the first prompt, it only matters on the second one.   Is
> > there something about my placement/ordering above that might be
> > causing this?
>put the option use_first_pass on the second module in the stack, so that
>it doesn't ask for a new password, but try with the one provided to the
>first module.

Bingo!  That did the trick.

To be specific for others running across this problem, the option 
"use_first_pass" needs to be added to the second (and any subsequent) 
modules in the auth stack.  (Excluding the pam_env module...)

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_winbind.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth 
nullok use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so


Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 

More information about the samba mailing list