[Samba] Re: [GLUG] Samba password changes?

Andrew Bartlett abartlet at samba.org
Fri Oct 11 12:49:01 GMT 2002 

Buchan Milne wrote:
> 
> Adriaan.Putter at aventis.com wrote:
> > hi,
> >
> > i've setup a LDAP server with account information,
> > and compiled samba with ldap support.
> >
> > everything works great, except for the password changes
> > i still have to run two seprate commands ( passwd, smbpasswd )
> > to change a users password.
> >
> > i've tried to put the pam_smbpasswd.so module into
> > system-auth, but that does work?
> >
> 
> No, pam_smbpasswd is meant for modifying the smbpasswd file, it doesn't
> do anything else.
> 
> I found the best solution was to use:
> 
> unix password sync = yes
> pam password change = yes
> passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n
> *LDAP*passwd:*all*authentication*tokens*updated*successfully*
> 
> (not sure if the passwd chat is necessary)
> 
> and then modify your /etc/pam.d/passwd to do password changes via LDAP.
> This ensures that password changes from samba apply the same rules that
> any other password change would apply.
> 
> Only problem I have now is if a user does a unix password change, it
> currently won't change their windows password, but I believe there is a
> hacked pam_ldap which will do that too.
> 
> (I have some issues with the idealx stuff, but it should all work out
> the box on recent Mandrake RPMs).

You seem to be in a bit of a mess here...

pam_smbpass uses Samba's passdb backend to communicate with smbpasswd,
or Samba's LDAP backend.  It allows the full range of operations
normally available on /etc/shadow:  checking and changing passwords,
both as root and a normal user.

This should allow you to keep just one password database, and not use
/etc/shadow.  Or you can keep then both in sync, by listing both in your
PAM configuration.

The other thing mentationed here (unix password sync) is a way to sync
incoming remote password changes with 2 sources, the smbpasswd file/LDAP
equiv and some 'unix' password system.  This only matters if you keep
the unix password file - you may be better to use pam_smbpass and just
use one.


A third option is with Samba 3.0, we have 'ldap password sync', this
sets the userPassword attriubute in LDAP via an extended operation, and
lets you aim pam_ldap at your LDAP DB.

A forth option (again 3.0) is to run winbindd on your PDC, set 'winbind
use default domain and use pam_winbind.  

In any case, there is certainly plenty of solutions here...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list