[Samba] AD integration checklist
Bjørn Tore Sund
bjorn.sund at it.uib.no
Sun Dec 10 12:39:47 GMT 2006
Don Meyer wrote:
>
> At 07:58 PM 12/8/2006, simo wrote:
>> > The one slight hiccup I am seeing is for console logins: locally
>> > defined users can log onto the console successfully -- if they use
>> > there AD password, they are accepted on the first password prompt.
>> >
>> > However, if they use their locally defined password (shadow) at the
>> > console, then they are subjected to a second password prompt each time
>> > -- and it doesn't matter whether they enter the local password
>> > correctly on the first prompt, it only matters on the second one. Is
>> > there something about my placement/ordering above that might be
>> > causing this?
>>
>> put the option use_first_pass on the second module in the stack, so that
>> it doesn't ask for a new password, but try with the one provided to the
>> first module.
>
> Bingo! That did the trick.
>
> To be specific for others running across this problem, the option
> "use_first_pass" needs to be added to the second (and any subsequent)
> modules in the auth stack. (Excluding the pam_env module...)
My preference is normally for the "try_first_pass" option, where the
module will _try_ the first password attempted and only prompt for
another password if that fails. Give better flexibility and doesn't
lock out a user who hasn't got their passwords synchronized.
-BT
--
Bjørn Tore Sund Phone: 555-84894 Email: bjorn.sund at it.uib.no
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen
When in fear and when in doubt, run in circles, scream and shout.
More information about the samba
mailing list