Samba is installed as a dependency with following flags: net-fs/samba-4.11.13::gentoo USE="acl pam system-mitkrb5 winbind -addc -addns -ads -ceph -client -cluster -cups -debug (-dmapi) (-fam) -gpg -iprint -json -ldap -profiling-data -python -quota (-selinux) -snapper -syslog (-system-heimdal) -systemd (-test) -zeroconf" PYTHON_SINGLE_TARGET="python3_7 -python3_6 -python3_8" Thus, flags "pam" and "winbind" are set. In recent net-fs/samba/samba-4.11.13.ebuild, corresponding block installs /etc/pam.d/system-auth-winbind: if use pam && use winbind ; then newpamd "${CONFDIR}/system-auth-winbind.pam" system-auth-winbind # bugs #376853 and #590374 insinto /etc/security doins examples/pam_winbind/pam_winbind.conf fi CONFDIR is hardcoded in eubuild as follows: #CONFDIR="${FILESDIR}/$(get_version_component_range 1-2)" CONFDIR="${FILESDIR}/4.4" Thus, samba package installs pam module as old as samba-4.4 version. This pam template contains following lines: password required pam_cracklib.so retry=3 password sufficient pam_unix.so nullok use_authtok md5 shadow password required pam_deny.so However, with sys-auth/pambase-20201010 and sys-libs/pam-1.4.0_p20200829 module pam_cracklib.so becomes deprecated. Line "required pam_cracklib.so" will render into always failing authentication due to absence of required module.
Might be useful to coordinate with https://bugs.gentoo.org/show_bug.cgi?id=748405 and wait until that one has settled. Changes in system-auth could be pending and impacting include/substack statements depending on pambase such as this one here.
BTW, same configuration is shipped with samba-4.13, thus, all available samba versions have same issue.
(In reply to SacredRide from comment #1) > Might be useful to coordinate with > https://bugs.gentoo.org/show_bug.cgi?id=748405 and wait until that one has > settled. Changes in system-auth could be pending and impacting > include/substack statements depending on pambase such as this one here. These are completly different things, samba is providing its own stack file, which does not rely on the existing pambase files
(In reply to Mikle Kolyada from comment #3) > (In reply to SacredRide from comment #1) > > Might be useful to coordinate with > > https://bugs.gentoo.org/show_bug.cgi?id=748405 and wait until that one has > > settled. Changes in system-auth could be pending and impacting > > include/substack statements depending on pambase such as this one here. > > These are completly different things, samba is providing its own stack file, > which does not rely on the existing pambase files Has adding a "winbind" use-flag to sys-auth/pambase been considered, instead of allowing the samba ebuild to drop bad configs into /etc/pam.d?