Password Sync

Elrond elrond at
Wed Jun 28 16:22:41 GMT 2000

On Wed, Jun 28, 2000 at 10:30:15PM +1000, Peter Samuelson wrote:
> [Elrond <elrond at>]
> > rpcclient -S ntpdc -U Administrator%passwdofadmin
> > samuserset ntuser -p newpassword
> [...]
> > So, now how to get the new pw?
> > 
> > Check out the post
> > "ANNOUNCE: pam_pwexport, Unix->SMB password changes"
> > by Peter Samuelson <peter at>.
> Yeah, I didn't think of using rpcclient or samedit.  I'll add something
> like this in as another example file in the next version.  (To be
> released Real Soon Now, as I keep saying.)  Thanks, Elrond.

Yeah, I just thought it up, when I saw the original post.

Oh. Can you ask Lars to include a link on his pages to your
stuff? (I don't know, if he has some "related stuff"-page
on his pages... didn't look there for a long time.)

> The difficulty with using multiple PAM modules for changing passwords
> is that password updates aren't atomic.  It's easy to get the two
> password lists out of sync, if the first module succeeds but the second
> fails.  (Say the PDC is unavailable, etc).  At that point there's not
> too much you can do other than fix it manually.  There's just no way to
> express the sequence "check to make sure all these updates will succeed
> (grabbing whatever locks are necessary to ensure this), then do them."

Well, if the first pam module succeeds in changing a
password, that later is sufficient to authenticates to
again change a password, and all the other pam-modules are
made to do a "force pw-change" (as the rpcclient-example
above) the user just can try to change it again...
(on the other side, I don't know enough about pam...)

Oh, BTW: I think, if your smb.conf sets the workgroup the
right way, you can call rpcclient -S '*', which lets
rpcclient find the pdc itself. (useful, if you have nt and
some DCs, because they can "promote" (right word?) the
pdc-role to any of them.)

> Peter


More information about the samba-ntdom mailing list