Password Sync
Elrond
elrond at samba.org
Wed Jun 28 16:22:41 GMT 2000
On Wed, Jun 28, 2000 at 10:30:15PM +1000, Peter Samuelson wrote:
>
> [Elrond <elrond at samba.org>]
> > rpcclient -S ntpdc -U Administrator%passwdofadmin
> > samuserset ntuser -p newpassword
> [...]
> > So, now how to get the new pw?
> >
> > Check out the post
> > "ANNOUNCE: pam_pwexport, Unix->SMB password changes"
> > by Peter Samuelson <peter at cadcamlab.org>.
>
> Yeah, I didn't think of using rpcclient or samedit. I'll add something
> like this in as another example file in the next version. (To be
> released Real Soon Now, as I keep saying.) Thanks, Elrond.
Yeah, I just thought it up, when I saw the original post.
Oh. Can you ask Lars to include a link on his pages to your
stuff? (I don't know, if he has some "related stuff"-page
on his pages... didn't look there for a long time.)
> The difficulty with using multiple PAM modules for changing passwords
> is that password updates aren't atomic. It's easy to get the two
> password lists out of sync, if the first module succeeds but the second
> fails. (Say the PDC is unavailable, etc). At that point there's not
> too much you can do other than fix it manually. There's just no way to
> express the sequence "check to make sure all these updates will succeed
> (grabbing whatever locks are necessary to ensure this), then do them."
Well, if the first pam module succeeds in changing a
password, that later is sufficient to authenticates to
again change a password, and all the other pam-modules are
made to do a "force pw-change" (as the rpcclient-example
above) the user just can try to change it again...
(on the other side, I don't know enough about pam...)
Oh, BTW: I think, if your smb.conf sets the workgroup the
right way, you can call rpcclient -S '*', which lets
rpcclient find the pdc itself. (useful, if you have nt and
some DCs, because they can "promote" (right word?) the
pdc-role to any of them.)
> Peter
Elrond
More information about the samba-ntdom
mailing list