From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130 Description of problem: I was trying to use pam_smbpass.so to keep /etc/samba/smbpasswd in sync with system passwords. The module was compiled from samba-2.2.1a-4 src rpm. I found that pam_smbpass password module cannot obtain correct authentication tokens if it comes after pam_unix: password required /lib/security/pam_cracklib.so retry=3 type= password requisite /lib/security/pam_unix.so nullok use_authtok md5 shadow try_first_pass password optional /lib/security/pam_smbpass.so nullok use_authtok try_first_pass audit #password required /lib/security/pam_deny.so The following error messages are logged on attempts to change passwords: Dec 5 21:12:43 daisy PAM_smbpass[5659]: username [fred] obtained Dec 5 21:12:48 daisy PAM_smbpass[5659]: username [fred] obtained Dec 5 21:12:48 daisy PAM_smbpass[5659]: passwd: bad authentication token (null or unchanged) Dec 5 21:12:48 daisy PAM_smbpass[5659]: new password not acceptable I had to put pam_smbpass.so before pam_unix in order to make it work. Version-Release number of selected component (if applicable): pam-0.75-19 How reproducible: Always Steps to Reproduce: 1. Use the following system-auth configuration file 2. Authenticate user fred once (ssh, pop, or imap, etc.) to create a smbpasswd entry for him. 3. run 'passwd fred' as root. Actual Results: Changed Fred's system password, but failed to change his samba password. Dec 5 21:12:43 daisy PAM_smbpass[5659]: username [fred] obtained Dec 5 21:12:48 daisy PAM_smbpass[5659]: username [fred] obtained Dec 5 21:12:48 daisy PAM_smbpass[5659]: passwd: bad authentication token (null or unchanged) Dec 5 21:12:48 daisy PAM_smbpass[5659]: new password not acceptable Expected Results: Change Fred's samba password successfully. Additional info: [root@daisy pam.d]# cat system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth requisite /lib/security/pam_unix.so likeauth nullok auth optional /lib/security/pam_smbpass.so migrate #auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 type= password requisite /lib/security/pam_unix.so nullok use_authtok md5 shadow try_first_pass password optional /lib/security/pam_smbpass.so nullok use_authtok try_first_pass audit #password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so
Working version of system-auth: [root@daisy pam.d]# cat system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth requisite /lib/security/pam_unix.so likeauth nullok auth optional /lib/security/pam_smbpass.so migrate #auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 type= password optional /lib/security/pam_smbpass.so nullok use_authtok try_first_pass audit password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow try_first_pass password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so
If I replace pam_unix.so with pam_pwdb.so, then even the previously broken system-auth configuration works nicely. [root@daisy pam.d]# grep password system-auth password required /lib/security/pam_cracklib.so retry=3 type= password requisite /lib/security/pam_pwdb.so nullok use_authtok md5 shadow try_first_pass password optional /lib/security/pam_smbpass.so nullok use_authtok try_first_pass audit #password required /lib/security/pam_deny.so So I guess pam_unix.so might have a problem.
Could you please retry with latest Fedora Core?
No response from reporter.
Update, for posterity: http://lists.samba.org/archive/samba-technical/2001-July/015339.html According to this post, this is a bug in pam_unix that's fixed in Linux PAM 0.76 and later.