Copying the SAM to UNIX

Steve Langasek vorlon at netexpress.net
Sun Oct 15 06:27:38 GMT 2000 

On Sun, 15 Oct 2000, Richard Sharpe wrote:

> I have an interesting and possibly unique situation where I want to take an
> exiting SAM, full of accounts and NT password hashes, and move it to UNIX
> (probably FreeBSD). I would like to move to be as transparent as possible.

> I am suggesting that I can use pwdump2 to extract the SAM in a format to
> put into /etc/smbpasswd or whatever, and use PAM to authenticate users with.

> However, what we would like to do is to migrate users over to UNIX
> passwords over time, so I am suggesting that we actually use both smbpasswd
> and normal passwd authentication stuff in PAM, and make them sufficient,
> and put the UNIX one first.

> My hope is that if I can get the PAM setup correct, I can transition to all
> password in /etc/master.passwd over time.

> My concern is whether or not password changing is going to work OK.

Richard,

A pam config such as the following may do the trick (assuming Linux-PAM
/etc/pam.d-style config; does FreeBSD use /etc/pam.conf?):

auth       sufficient   pam_unix.so
auth       sufficient   pam_smbpass.so use_first_pass
password   requisite    pam_smbpass.so
password   required     pam_unix.so md5 shadow use_authtok nullok use_first_pass

The pam_unix module for FreeBSD may well have different options, but the
module stack would look essentially the same -- if you add your users to the
password file with null passwords, then auth will fall through to whichever
module you use for checking the passwords in /etc/smbpasswd.  When the user
runs the 'passwd' command, they *must* enter the password which matches the
one stored in /etc/smbpasswd, or the operation will fail. IFF they enter the
correct password, both /etc/smbpasswd and /etc/shadow (/etc/master.passwd in
your case) will be updated with the new value.  The above config will fail if
for some reason the UNIX password is set, but does not match the SAM password;
it should succeed if the UNIX password is not yet set, or if it matches the
SAM password.

HTH,
Steve Langasek
postmodern programmer

More information about the samba-ntdom mailing list