deadcasuals's Journal: pam_smb on debian

I've used pam_smb quite a bit in the past (mostly on Red Hat) to authenticate local linux users against a windows domain and I've always thought it worked pretty well. I completly love PAM and think it's one of the coolest parts of *nix. I had quite a time getting it to work today, though. I've always used the "sufficient" directive to allow both local shadow password lookups as well as domain lookups which is nice because you can still have local passwords for root.

Well, on the Woody system, when I modified the /etc/pam.d/ssh file to have both pam_unix.so and pam_smb_auth.so set to sufficient, the net result was that you could log in to the system using *any* password! Even incorrect ones! Not exactly the effect I was looking for... To make a long story short, I found that you need an extra line at the bottom of the pam config file if you have multiple "sufficient" auth lines. You have to put in "auth required pam_deny.so" which acts as a "catch all" deny statement.