Sync issue with encrypted passwords

Lisa Becktold {CADIG STAFF} lisa at USNA.Navy.Mil
Tue Sep 28 13:08:32 GMT 1999


I'm not sure of all the details concerning your configuration...
are you running Samba as an NT PDC?

We are running Samba on both an SGI and SUN server.  Both are
acting as PDCs of different domains.

On the Sun server, I have "unix password sync" set and it works!
(Thanks to a lot of help from this mailing list).  This means
that users can sit down at NT workstations that are members
of the Sun server Samba domain, and when they change their 
password it changes both smbpasswd AND /etc/passwd.

Is this what you're trying to do?

If so, then you must rewrite your "passwd chat" script so that
it doesn't prompt for the old password.  I think this may be
necessary because you can't decrypt that old password across NT/Samba/UNIX.

These are the settings that worked for me:

        unix password sync = yes
        passwd program = /usr/bin/passwd %u
        passwd chat    = *New*password* %n\n *new*password* %n\n *passw*d*d*on*

Run the UNIX "passwd username" program as root.  What prompts do you see?
Incorporate parts of those prompts with wild cards in your "passwd chat"

One wrinkle - if you're running NIS, then you must run "unix password sync"
on the NIS master.  IT WILL NOT WORK ON AN NIS SLAVE, because the slave
NIS server will prompt for the old password and will NOT change a user's
password unless it gets the old password first.

On the NT workstation, you will be prompted for the old password.  Enter it, 
but don't worry - it doesn't percolate up to the UNIX passwd level.  Samba
is smart enough to parse out the old password, and just grab the new ones
to pass to /usr/bin/passwd.


> Originator: samba-ntdom at
> From: Karl Dane <karl at>
> To: Multiple recipients of list SAMBA-NTDOM <samba-ntdom at>
> Subject: Sync issue with encrypted passwords
> MIME-Version: 1.0
> X-Listprocessor-Version: 6.0d -- ListProcessor by Anastasios Kotsikonas
> X-URL:
> X-Comment: Discussion of NT domain controller support in Samba
> Date: Mon, 27 Sep 1999 22:31:14 +1000
> Hi guys,
>     I get the following error when I run testparm against my smb.conf
> file:
> "ERROR: the 'passwd chat' script [*old*password* %o\n *new*password*
> %n\n *new*password* %n\n *changed*] expects to use the old plaintext
> password via the %o substitution. With encrypted passwords this is not
> possible."
> I assume that this will cause problems when it comes to NT4w users
> trying to change their passwords.
> How do I resolve this? Am I forced to use plaintext passwords when
> syncing passwords with unix accounts? Or is the whole issue moot if I
> were to use an LDAP backend?
> Any help is much appreciated.
> Thanks,
> --
> Karl Dane
> Systems Administrator, Bibliotech
> Steinbach's Guideline for Systems Programming:
>         Never test for an error condition you don't know how to
> handle.
> p.s. I attach my smb.conf for the sake of clarity.
> # Global parameters
>         workgroup = <snip>
>         netbios name = <snip>
>         server string = <snip>
>         interfaces = <snip>
>         encrypt passwords = Yes
>         log level = 1
>         log file = /var/log/samba/log.%m
>         max log size = 200
>         time server = Yes
>         socket options = TCP_NODELAY
>         printcap name = /etc/printcap
>         domain logons = Yes
>         os level = 65
>         preferred master = Yes
>         domain master = Yes
>         dns proxy = No
>         printing = bsd
>         print command = lpr -r -P%p %s
>         lpq command = lpq -P%p
>         lprm command = lprm -P%p %j
>         passwd program = /usr/bin/passwd
>         unix password sync = True
>         domain admin users = rince gwen atomix terence olly
>         domain admin group = rince gwen atomix terence olly
> [netlogon]
>         locking = no
>         public = no
>         browseable = yes

      Lisa M. Becktold - lisa at, (410) 293-6480
               United States Naval Academy - CADIG          
    590 Holloway Road, Rickover Hall, Annapolis, MD 21402-5000

More information about the samba-ntdom mailing list