Use of pam_exec or pam_smbpass

David Jansen jansen at
Wed Nov 2 09:40:56 UTC 2011

I'm trying to implement a custom password scheme through pam and samba.
Basically, if a user wants to change their password on a client, the
change has to be propagated to the samba server so it can also set the
windows password. It works fine to tell users to use 'smbpasswd -r
samba.mydomain', or to make passwd an alias that does that, but it would
be better to make the change go through PAM so it will work from the GUI
as well.
Now, I found 2 ways to do this: pam_smbpass and pam_exec, but with both,
I seem to be hitting a stone wall.

On a machine that has a full smb.conf with all the LDAP connections etc
(including ldap bind credentials in secrets.tbd), something like 
password   required nullok use_authtok try_first_pass
in the appropriate /etc/pam.d files seems to do the trick. However, I
don't really want to make every desktop a full member of the domain.
So, it would be nice if there was a way to make pam_smbpass connect to a
remote samba server, but I haven't been able to find one. Any help in
this area would be appreciated.

The man page states 'All module types (auth, account, password and
session) are provided.' So it should be possible to write a script or
prtogram to handle a pam password call, right? But, the script I wrote
doesn't seem to receive the old or new password. And re-reading the
documentation, I notice that nothing is mentioned about passing a
password to the module anywhere, except on authentication, when
expose_authtok will do that (then the password will be passed through
stdin). But nothing like that when called for a password change.
Again, what did I miss? Is the password module type not fully
implemented, or should this be handles in another way?

(OS: Fedora 15, RHEL 6, both same situation) 

David Jansen

PS: I know a 3rd option would be to switch everything over to winbind,
which may or may not work in our complex situation with various Windows
domains with trusts. The point is: everything else works, except for a
consistent password change method, so before we decide to redesign the
whole setup, we want to be absolutely sure that there isn't something
simple we are overlooking.

More information about the users mailing list