[Samba] smb_pass

Steve Thompson smt at vgersoft.com
Wed Jan 5 15:31:17 MST 2011

Samba 3.5.1, CentOS 5.5 i386 and x86_64. All users are in LDAP, except for 
the base system accounts with uid < 500. No local SMB passwords. Only file 
servers are joined to the domain (and the machine in question. below, is 
not one of these).

I'm trying to get to grips with the pam_smbpass modulei (so that a Linux 
user logging in with an expired password changes their LDAP and SMB 
passwords together), and have a lot of questions. But in this posting, one 
question only. It seems that the pam_smbpass module does not function at 
all unless the LDAP admin password has been entered with "smbpasswd -w", 
since it appears to be trying to bind as the LDAP admin when a normal user 
uses the "passwd" command. Indeed, if I don't have an 
/etc/samba/secrets.tdb file, the action of the passwd command by a normal 
user is to create one (with what password?), and to create a 
sambaDomainName entry in the LDAP database for the machine.

Question is: why? Shouldn't it bind as the user who is changing their 
password? Am I incorrect in thinking that it shouldn't need the LDAP admin 

I'm currently using this system-auth extract:

password        requisite       pam_cracklib.so try_first_pass retry=3
password        sufficient      pam_unix.so md5 shadow try_first_pass use_authtok
password        required        pam_ldap.so use_authtok use_first_pass
password        required        pam_smbpass.so use_authtok use_first_pass

which does appear to do what I want, secrets.tdb notwithstanding.


More information about the samba mailing list