Following discussions with Cristian Gafton (Red Hat) we have decided to make

PAM silent about it's actions. This reduced error logging for EVERY password
validation request. Refer to password.c PAM section for further info.
Fiels Affected: password.c

1 files changed, 8 insertions, 2 deletions

diff --git a/source/smbd/password.c b/source/smbd/password.c
index 1c72f0cfa6e..c2b916a0af8 100644
--- a/source/smbd/password.c
+++ b/source/smbd/password.c
@@ -442,13 +442,19 @@ static BOOL pam_auth(char *this_user,char *password)
   PAM_username = this_user;
   pam_error = pam_start("samba", this_user, &PAM_conversation, &pamh);
   PAM_BAIL;
-  pam_error = pam_authenticate(pamh, 0);
+/* Setting PAM_SILENT stops generation of error messages to syslog
+ * to enable debugging on Red Hat Linux set:
+ * /etc/pam.d/samba:
+ *	auth required /lib/security/pam_pwdb.so nullok shadow audit
+ * _OR_ change PAM_SILENT to 0 to force detailed reporting (logging)
+ */
+  pam_error = pam_authenticate(pamh, PAM_SILENT);
   PAM_BAIL;
   /* It is not clear to me that account management is the right thing
    * to do, but it is not clear that it isn't, either.  This can be
    * removed if no account management should be done.  Alternately,
    * put a pam_allow.so entry in /etc/pam.conf for account handling. */
-  pam_error = pam_acct_mgmt(pamh, 0);
+  pam_error = pam_acct_mgmt(pamh, PAM_SILENT);
   PAM_BAIL;
   pam_end(pamh, PAM_SUCCESS);
   /* If this point is reached, the user has been authenticated. */