samba PDC with NIS, or other solution?

Todd Pfaff pfaff at edge.cis.mcmaster.ca
Fri Nov 9 09:27:03 GMT 2001 

On Fri, 9 Nov 2001, Alexander Lazarevich wrote:

> im still unclear as to how, or if, i can get the current /etc/passwd file
> from the current NIS master onto the new samba PDC (which will become
> the new NIS master). in one of your emails you mentioned something about a
> script that comes with the samba source that will create the smbpasswd
> from disabled accounts. what is this script called? is there an man/docs
> on it? will this script take an /etc/passwd file from an NIS master an
> create a smbpasswd file from it? that seems too good to be true...

The script that he mentions is for populating your smbpasswd file with
all existing account information except for the encrypted password field.
I don't know what the name of the script is that Christian is referring to
but I've attached the one I wrote myself, and you could probably write
such a script yourself.  I also run a linux server as an NIS master and a
samba PDC.  I call the attached script from my NIS makefile to update the
smbpasswd file whenever I modify passwd and run an NIS make.

There is no way to directly convert the unix encrypted passwords to smb
encrypted passwords other than cracking each password to get the
cleartext equivalent and then creating the smbpasswd encrypted 
equivalent.  Of course, this may not work for all passwords.

The alternative method provided by samba relies on several things...
- your smb client will use cleartext passwords if the server allows
- the samba server has been configured to allow cleartext passwords
- you have set 'update encrypted' appropriately in smb.conf

Read the docs to figure out how to ensure the above conditions.

If you can't allow cleartext passwords on your network then this method
will not work for you.

--
Todd Pfaff                         \  Email: pfaff at mcmaster.ca
Computing and Information Services  \ Voice: (905) 525-9140 x22920
ABB 132                              \  FAX: (905) 528-3773
McMaster University                   \
Hamilton, Ontario, Canada  L8S 4M1     \
-------------- next part --------------
#!/usr/local/bin/perl
#
# build the smbpasswd file from the /etc/passwd file.
#
# - create accounts that exist in /etc/passwd and not in smbpasswd
# - remove accounts that exist in smbpasswd and not in /etc/passwd
# - preserve existing password, flags and LCT fields in smbpasswd
# - sets new account passwords to locked (all Xs)
# - put a W in the smbpasswd flag field of machine accounts
#   (ie. any account ending in $)
# - put a U in the smbpasswd flag field of user accounts
#
# Todd Pfaff <pfaff at mcmaster.ca>

$passwd="/etc/passwd";
$smbpasswd="/usr/local/samba/private/smbpasswd";
$osmbpasswd="$smbpasswd.old";

umask 077;

open(PW,"<$passwd");
while(<PW>) {
  chop;
  push @pw, $_;
}
close PW;

rename $smbpasswd, $osmbpasswd;

open(PW,"<$osmbpasswd");
while(<PW>) {
  chop;
  ($uname,$uid,$pw1,$pw2,$flags,$lct,$fname)=split(':');
  $spw{$uname}=$_;
}
close PW;

open(PW,">$smbpasswd");
foreach $account (@pw) {
  ($uname,$pw,$uid,$gid,$fname,$dir,$shell)=split(':',$account);
  $pw1="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
  $pw2="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
  if(substr($uname,-1) eq "\$") {
    $flags="[W          ]";
  }
  else {
    $flags="[U          ]";
  }
  $lct="LCT-363F96AD"; # got this value from samba/bin/convert_smbpasswd
  if($spw{$uname}) {
    ($xuname,$xuid,$pw1,$pw2,$flags,$lct,$xfname)=split(':',$spw{$uname});
  }
  printf(PW "%s:%s:%s:%s:%s:%s:%s:\n",$uname,$uid,$pw1,$pw2,$flags,$lct,$fname);
}
close(PW);

More information about the samba mailing list