[Samba] Password sync in 3.6.0 on OS X 10.7, Lion

Martin Diers mwdlists at diers.us
Fri Aug 19 08:11:22 MDT 2011

My company, which is a mac-heavy shop in the printing industry, needed
to migrate to a faster file server. As our directory trees are very
large, both Samba, and Netatalk were bogging down badly on our Linux
server (Samba, due to heavy CPU usage during directory listings - the
case-sensitive file system issue, and netatalk because the cnid db was
getting too big).

Our solution was to switch to a Mac server running a Thunderbolt RAID
array. This forced us into using Lion, as the only Snow Leopard machines
with thunderbolt ports are laptops. The new server as extremely fast
even with our large file systems. But SMBX is causing numerous problems.

Yesterday, I succeeded in getting Samba 3.6.0 compiled and running on
Lion, and now have a working Macports package. Only one patch was
required: to address issues with NGROUPS_MAX on Lion, which prevented
smbd from starting. (FYI: Because groups can be nested in Lion, but
getgrouplist() reports the list without nesting, the number of groups in
some system account used by Samba, exceeds NGROUPS_MAX. The fix just
forces it to 32 in lib/system.c - ugly, but it works).

I do not understand how Apple's OpenDirectory integration used to work
with Samba in versions <= 10.6. I assume they maintained smbpasswd
tokens inside OpenDirectory. Regardless, this is no longer done in Lion.
Instead, I attempted to use the pam_smbpass module to sync passwords
with the tdb backend.

I copied the complied pam_smbpass.dynlib module to

I then setup /etc/pam.d/passwd like so:

auth       required       pam_permit.so
account    required       pam_opendirectory.so
password   requisite       pam_opendirectory.so
password  required      pam_smbpass.so nullok use_authtok try_first_pass
session    required       pam_permit.so

This prevents user accounts on the Server from changing their own
password at all. The root user can still change individual system
account passwords, but no smbpasswd syncing takes place.

I have tried several variants on the "password required" line. All of
them exhibit the same behavior.

I have been unable to find any debug or log information that sheds much
light on this behavior. When the user attempts to change their password,
this is what is shown in /var/log/secure.log:

passwd[229]: in _openpam_check_error_code(): pam_sm_chauthtok():
unexpected return value 12

And this is what the user sees:

$ passwd
Changing password for <user>.
passwd: authentication information is unavailable

smbd.log shows nothing at all.

If the user's password is changed using the root account, no errors of
any kind are logged, and no smbpasswd sync takes place.

I know that pam_smbpass works in FreeBSD, which also uses OpenPam, so I
doubt it is an OpenPam incompatibility. I'm just not sure where to look

More information about the samba mailing list