ANNOUNCE: pam_pwexport, Unix->SMB password changes

Wed Jun 21 20:27:22 GMT 2000

[Seth Vidal <skvidal at phy.duke.edu>]
> I've got a current setup of nt users running on samba 2.0.7
> w/unencrypted passwords (nt plain password hack). I also have A LOT
> of unix-only users who never touch nt (but might someday)
> 
> I'd like to migrate to encrypted passwords, using this module to
> update the samba database.

That's *exactly* what I had in mind when I wrote the module.  I'll
release version 0.1 RSN.  (Random cleanups, things like actually
compiling on HP-UX and Solaris.)

> but my problem is account addition:
> ie: my smbpasswd file has no users in it. So I need to add all the users
> with the nopassword option. But then those accounts are more or less
> exposed. And the old password never works to change it.

smbpasswd has a lot of options, see the manpage:

  -a  add the user to the smbpasswd file
  -x  remove the user from smbpasswd
  -e  enable the account
  -d  disable the account
  -s  read passwords from stdin rather than /dev/tty

So you just have to cook up the appropriate script.  Here's a try,
untested.  (Perl is needed for the "$< = $>" line; I don't know a way
to do this in sh.)

----------------------------------------------------------------------
  #!/usr/bin/perl -wT

  # we're setuid so don't trust the values of these important variables
  $ENV{PATH}='/usr/local/samba/bin:/usr/bin';
  $ENV{IFS} =" \t";

  $< = $>;     # setuid(geteuid()) so smbpasswd won't complain
  if ($< != 0) { die "Must be run as root\n"; }

  while (<>) {
    chomp;
    m/^([^ ]+) (.*)$/;
    if    ($1 eq 'user'       ) { $u = $2; }
    elsif ($1 eq 'password'   ) { $n = $2; }
    elsif ($1 eq 'oldpassword') { $o = $2; }
  }

  open OUT, "| smbpasswd -s -a '$u'" or die "Cannot exec smbpasswd: $!\n";
  print OUT, "$n\n$n\n";
  close OUT;
----------------------------------------------------------------------

I'll try and test a few scenarios like this one and provide working
example scripts for version 0.1.

> So how do I make the change take place from multiple remote linux clients.

Since you will not (necessarily) have access to the old password, only
the new password, it's not good to rely on smbpasswd's remote password
update feature.  So what I'd do instead is do it by remote login,
i.e. ssh.  Either set up openssh so that the root account on your PDC
trusts the root accounts on other machines, or create a dedicated
account with uid 0 that has the above script as its login shell (and of 
course a locked password and a ~/.ssh/authorized_keys file that only
lets those other root accounts in).

Peter