[Samba] pam_smbpass Guidance

[Ryan Novosielski]

I am looking to move to encrypted passwords -- pam_smbpass looks like a
very attractive option to me. However, here is my problem: the way a user
FIRST logs in, 90% of the time, is in the lab, through a Win98 and Samba
machine. Therefore, the user MUST be able to login with their new
account/password (or for that matter, existing user account/password
pre-migration) to Samba first. Our account creating procedure is the
following:

1) Account is created
2) User comes to support and checks to see if account is ready
3) User changes password (from privileged account at support desk, akin to
sudo)
4) User walks away and typically goes to try their account on lab PC's, or
if not that time, at least will log in for his/her first time to a lab PC

...my assumption is that in this case, the password change will take care
of the creation/password changing of the smbpasswd entry. However, what
about accounts that are in our /etc/passwd already? Does pam_smbpass
update passwords in smbpasswd WITHOUT encrypted passwords turned on
(something akin to 'update encrypted'), or must I turn encryption on
FIRST, thus making it impossible for any user to log onto a lab PC (and
therefore not allowing them to access any other means of logging into the
machine?)

Also, one final question... the pam.conf entries:

auth optional /lib/security/pam_smbpass.so migrate

...and...

password required /lib/security/pam_smbpass.so use_authok try_first_pass
/ migrate

...do these only affect first logins, or does this mean any user who
properly authenticates on our machines (via telnet, ssh) will have their
password synced with smbpasswd?

BASICALLY, to sum up... this is what I would /like/ to have happen, and
maybe someone can tell me how close I can come to the ideal:

1) Compile/install Samba (Samba is currently running, but an update to
2.2.7a is in order anyway) and modify pam.conf (HP-UX) to include the
above modules
2) Wait awhile for users to login through all services -- as many as
possible (can a sync be triggered by, for example and imapd or pop3d
login? many of our users don't bother with interactive logins), INCLUDING
Samba while encrypted passwords are turned off.
3) When it appears as if enough users have logged in (so that we are not
bombarded with users that cannot do Samba logins in the lab and will need
assistance from staff), "flip the switch" as it were to start using
encrypted passwords.

Is all of that possible?

---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  |  | Ryan Novosielski - Jr. UNIX Systems Admin
|$&| |__| |  | |__/ | \| _|  | novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent. | IST/ACS - New Jersey Medical School - C630