[Samba] smbpasswd + ldap questions

[David Wright]

I would like to have sync'd Unix and Samba passwords. My Unix passwords 
are stored in OpenLDAP for uniformity across machines and services. I 
have some problems with the standard solutions to this problem though:

* if I have Samba authenticate from OpenLDAP directly (using the 
smbPassword attribute), then I get sync'ing problems when the password 
is changed via normal Unix means. We are primarily a Unix shop; I cannot 
force my users to change passwords always via Samba. Also, I would 
really prefer to stay within the PAM universe, not merely because of its 
elegance, but also because it allows me to do very flexible, additional 
checks (e.g. pam_cracklib).

* keeping Samba passwords in smbpasswd and using pam_smbpasswd to auth 
and sync would be perfect -- except that my users don't work on my file 
server, so no PAM stack there would ever be executed (I guess I could 
put smb_passwd in the PAM stack of netatalk, which runs from that 
machine, but demanding that users mount thei home directory via 
Appletalk in order to sync their Samba passwords seems rather bizarre). 
Even if I were to run Samba on a user machine, the smbpasswd file would 
only be updated if the user happened to run passwd on THAT machine.

What I really want is either:

* that pam_smbpasswd be able to update the smbpasswd file on ANOTHER 
computer. Say on the file server via smb. Is this actually possible and 
I've just missed it? If so, how do I configure that? Or...

* a "pam_smbldap" module that does what pam_smbpasswd does, but uses an 
LDAP backend in place of the smbpasswd file. I actually looked at the 
pam_smbpasswd code to see if this would be easy to implement. The code 
is very straightforward, but unfortunately this is because it hides all 
of the actual work in calls to Samba libraries. Has someone with more 
unserstanding of the Samba internals perhaps already undertaken the 
production of a "pam_smbldap" module?