[Samba] AD integration checklist

Bjørn Tore Sund bjorn.sund at it.uib.no
Sun Dec 10 12:39:47 GMT 2006

Don Meyer wrote:
> At 07:58 PM 12/8/2006, simo wrote:
>> > The one slight hiccup I am seeing is for console logins:   locally
>> > defined users can log onto the console successfully --  if they use
>> > there AD password, they are accepted on the first password prompt.
>> >
>> > However, if they use their locally defined password (shadow) at the
>> > console, then they are subjected to a second password prompt each time
>> > -- and it doesn't matter whether they enter the local password
>> > correctly on the first prompt, it only matters on the second one.   Is
>> > there something about my placement/ordering above that might be
>> > causing this?
>> put the option use_first_pass on the second module in the stack, so that
>> it doesn't ask for a new password, but try with the one provided to the
>> first module.
> Bingo!  That did the trick.
> To be specific for others running across this problem, the option 
> "use_first_pass" needs to be added to the second (and any subsequent) 
> modules in the auth stack.  (Excluding the pam_env module...)
My preference is normally for the "try_first_pass" option, where the 
module will _try_ the first password attempted and only prompt for 
another password if that fails.  Give better flexibility and doesn't 
lock out a user who hasn't got their passwords synchronized.


Bjørn Tore Sund       Phone: 555-84894   Email:   bjorn.sund at it.uib.no
IT department         VIP:   81724       Support: http://bs.uib.no 
Univ. of Bergen

When in fear and when in doubt, run in circles, scream and shout.

More information about the samba mailing list