[Samba] Re: [GLUG] Samba password changes?
Andrew Bartlett
abartlet at samba.org
Fri Oct 11 12:49:01 GMT 2002
Buchan Milne wrote:
>
> Adriaan.Putter at aventis.com wrote:
> > hi,
> >
> > i've setup a LDAP server with account information,
> > and compiled samba with ldap support.
> >
> > everything works great, except for the password changes
> > i still have to run two seprate commands ( passwd, smbpasswd )
> > to change a users password.
> >
> > i've tried to put the pam_smbpasswd.so module into
> > system-auth, but that does work?
> >
>
> No, pam_smbpasswd is meant for modifying the smbpasswd file, it doesn't
> do anything else.
>
> I found the best solution was to use:
>
> unix password sync = yes
> pam password change = yes
> passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n
> *LDAP*passwd:*all*authentication*tokens*updated*successfully*
>
> (not sure if the passwd chat is necessary)
>
> and then modify your /etc/pam.d/passwd to do password changes via LDAP.
> This ensures that password changes from samba apply the same rules that
> any other password change would apply.
>
> Only problem I have now is if a user does a unix password change, it
> currently won't change their windows password, but I believe there is a
> hacked pam_ldap which will do that too.
>
> (I have some issues with the idealx stuff, but it should all work out
> the box on recent Mandrake RPMs).
You seem to be in a bit of a mess here...
pam_smbpass uses Samba's passdb backend to communicate with smbpasswd,
or Samba's LDAP backend. It allows the full range of operations
normally available on /etc/shadow: checking and changing passwords,
both as root and a normal user.
This should allow you to keep just one password database, and not use
/etc/shadow. Or you can keep then both in sync, by listing both in your
PAM configuration.
The other thing mentationed here (unix password sync) is a way to sync
incoming remote password changes with 2 sources, the smbpasswd file/LDAP
equiv and some 'unix' password system. This only matters if you keep
the unix password file - you may be better to use pam_smbpass and just
use one.
A third option is with Samba 3.0, we have 'ldap password sync', this
sets the userPassword attriubute in LDAP via an extended operation, and
lets you aim pam_ldap at your LDAP DB.
A forth option (again 3.0) is to run winbindd on your PDC, set 'winbind
use default domain and use pam_winbind.
In any case, there is certainly plenty of solutions here...
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba
mailing list