# [solved]Samba+PAM(NT_STATUS_WRONG_PASSWORD)

## sulek

When I try to connect to samba share I got following message:

```
sculptor samba # smbclient -U user //192.168.100.3/share

added interface ip=192.168.100.3 bcast=192.168.100.255 nmask=255.255.255.0

Client started (version 3.0.14a).

Connecting to 192.168.100.3 at port 445

Password:

Domain=[domain] OS=[Unix] Server=[Samba 3.0.14a]

tree connect failed: [b]NT_STATUS_WRONG_PASSWORD[/b]
```

In samba log I have:

```
[2005/11/25 14:07:41, 3] smbd/sec_ctx.c:pop_sec_ctx(386)

  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0

[2005/11/25 14:07:41, 3] auth/auth.c:check_ntlm_password(295)

  check_ntlm_password:  PAM Account for user [user] FAILED with error [b]NT_STATUS_PASSWORD_MUST_CHANGE[/b]

[2005/11/25 14:07:41, 2] auth/auth.c:check_ntlm_password(312)

  check_ntlm_password:  Authentication for user [user] -> [hanna] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE

```

Even if I change user password with smbpasswd I still got errors!

It looks like some problem with PAM module.

Configuration: 

```
sculptor samba # cat /etc/pam.d/samba

#%PAM-1.0

# * pam_smbpass.so authenticates against the smbpasswd file

# * changed Redhat's 'pam_stack' with 'include' for *BSD compatibility

#    (Diego "Flameeyes" Petteno'): enable with pam>=0.78 only

auth       required     pam_smbpass.so nodelay

#account    include      system-auth

#session    include      system-auth

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

password   required     pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf

```

###########################

```
[global]

   workgroup = company

   netbios name = server

   load printers = no

   guest account = nobody

   log file = /var/log/samba/%m.log

   max log size = 0

   security = share

   encrypt passwords = yes

   smb passwd file = /etc/samba/smbpasswd

   unix password sync = no

   passwd program = /usr/bin/passwd %u

   passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

   pam password change = yes

   obey pam restrictions = yes

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   local master = yes

   domain logons = no

   dns proxy = no

   log level = 3 passdb:5 auth:10 winbind:2

[share]

   path = /share

   public = no

   writable = yes

   printable = no

   only guest = no

   guest ok = no

   valid users = user[/quote]

```

Solution:

 obey pam restrictions = no[/b]

and all works fine!

----------

