On Thu, Jul 25, 2002 at 06:34:11PM +0200, Bartlomiej Solarz-Niesluchowski wrote: > At 11:05 2002-07-25 -0500, Steve Langasek wrote: > >I've checked a pam_smbpass binary built from CVS HEAD, and it is > >correctly linked against libldap; libldap provides the ldap_value_free > >function. If you're seeing different behavior, either -lldap is not > >being correctly added to the LIBS line when Samba builds, or your > >libldap is missing some symbols that pam_smbpass is expecting.
> in Makefile: > LIBS=-lacl -ldl -lnsl -lpam -lpopt > LDAPLIBS=-lresolv -lldap -llber > bin/pam_smbpass.so: $(PAM_SMBPASS_OBJ) bin/.dummy > @echo Linking shared library $@ > $(SHLD) -shared -o $@ $(PAM_SMBPASS_OBJ) $(LDFLAGS) -lpam > $(DYNEXP) $(LIBS) -lc \ > -Wl,-soname=`basename $@` > I changed to: > bin/pam_smbpass.so: $(PAM_SMBPASS_OBJ) bin/.dummy > @echo Linking shared library $@ > $(SHLD) -shared -o $@ $(PAM_SMBPASS_OBJ) $(LDFLAGS) -lpam > $(DYNEXP) $(LIBS) $(LDAPLIBS) -lc \ > -Wl,-soname=`basename $@` Ok. Straightforward. > Module load correctly (no messages in messages), but it does not work > correctly: > portraits:~$ passwd > Changing password for user tester. > Enter login(LDAP) password: > Changing password for tester > Current SMB password: > passwd: Authentication token manipulation error > (when i try smbpasswd it works) > system-auth (RH 73) > password required /lib/security/pam_cracklib.so retry=3 type= > password sufficient /lib/security/pam_unix.so nullok use_authtok md5 > shadow > password required /lib/security/pam_ldap.so use_authtok > password required /lib/security/pam_smbpass.so smbconf=/etc/samba/smb.conf > password required /lib/security/pam_deny.so > (system-auth seems be ok because I use it on different machine and it works > - but on different machine is no LDAP).... Ok, this is the sequence of events you've specified: - cracklib is required - if pam_unix succeeds, we consider it a success. - if pam_unix *fails*, we consider it a failure, but we still try to change other passwords (pam_ldap and pam_smbpass). I would recommend that you take a look at the example PAM configurations that ship with Samba in the source/pam_smbpass directory. I'm not entirely certain what effect you're trying to achieve, but I suspect one of the sample configurations will be closer to what you want than what you currently have. BTW, do you already have SMB passwords loaded into LDAP for your users? If not, you will definitely need to add the 'nullok' option for pam_smbpass.so. Steve Langasek postmodern programmer
