Samba 3.5.1, CentOS 5.5 i386 and x86_64. All users are in LDAP, except for
the base system accounts with uid < 500. No local SMB passwords. Only file
servers are joined to the domain (and the machine in question. below, is
not one of these).
I'm trying to get to grips with the pam_smbpass modulei (so that a Linux
user logging in with an expired password changes their LDAP and SMB
passwords together), and have a lot of questions. But in this posting, one
question only. It seems that the pam_smbpass module does not function at
all unless the LDAP admin password has been entered with "smbpasswd
-w",
since it appears to be trying to bind as the LDAP admin when a normal user
uses the "passwd" command. Indeed, if I don't have an
/etc/samba/secrets.tdb file, the action of the passwd command by a normal
user is to create one (with what password?), and to create a
sambaDomainName entry in the LDAP database for the machine.
Question is: why? Shouldn't it bind as the user who is changing their
password? Am I incorrect in thinking that it shouldn't need the LDAP admin
password?
I'm currently using this system-auth extract:
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow try_first_pass
use_authtok
password required pam_ldap.so use_authtok use_first_pass
password required pam_smbpass.so use_authtok use_first_pass
which does appear to do what I want, secrets.tdb notwithstanding.
Steve
