I'm getting up to speed on the pam stuff... I've got an ldap backend for both samba and the unix pwdb (via nss_ldap and pam_ldap) I want to keep NT and linux passwords in sync so I've modified my pam scripts to require pam_smbpass.so as well as pam_unix.so. eg from /etc/pam.d/passwd password requisite pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_ldap.so use_authtok password required pam_unix.so use_authtok nullok md5 password required pam_smbpass.so nullok use_authtok but now i'm considering /etc/pam.d/samba it is currently auth sufficient pam_ldap.so auth required pam_unix.so nullok account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so password sufficient pam_ldap.so password required pam_unix.so use_first_pass do i need to add a password required pam_smbpass.so nullok use_authtok line? or will that do this 1) change lmPassword and ntPassword 2) trigger pam.d unix sync b/c of pam password change = Yes 2a) change unix_pw 2b) change lmPassword and ntPassword also can a put in a cracklib line in there (and have it do what i want)? thanks! brad PS Jerry: the pam_smbpass LDAP makefile patch seems to work fine.