Samba PDC as a password server

Stephen Langasek vorlon at
Sat May 2 17:17:13 GMT 1998

On Fri, 1 May 1998, Luke Kenneth Casson Leighton wrote:

> On Thu, 30 Apr 1998, Dana Canfield wrote:
> > scheme. The only "tidy" solution I can think of that might keep
> > overhead low is to create some kind of "pam_smbdb".  This would work
> > just like pam_pwdb, but would work with NT-style encryption, meaning
> > you could yank out /etc/passwd and replace it with the contents of
> > smbpasswd.

> oo.  that would do it.

This sounds a bit like a module I've been (sporadically) working on,
called pam_smbpass.  This module is intended to be usable for both
password changes and authentication against an /etc/smbpasswd-type
local database file.  The password updates work fine, and I've been using
it for a while now to keep passwords synched between the unix & smb
databases, althoug I ran into a problem when I looked into stripping out
all other authentication code from samba in favor of a pure PAM interface:
since not even the version of the password as stored in the smbpasswd file
is available to the server in a network transaction, the module has to be
able to take the doubly-encrypted password and the original salt,
re-encrypt the password from the database, and spit back a yes or no at
the application.  It's straightforward to fix, I just haven't gotten
around to doing it yet...

The current version is available at, for
those who are interested.  Hopefully it'll save someone out there some
duplication of effort. :)

                           -Steve Langasek

More information about the samba-ntdom mailing list