Progress Report: Follow up

Sun Feb 28 06:12:01 GMT 1999

Thanks guys for the queries and concerns, I found them quite
encouraging.

Instead of replying to each message seperately, I've bundled them
all into here. Hope it doesn't make anyone lost.

Dan Kaminsky:
> > ... password changing works for us ... [ Ref byte ordering ]
> How is stability/reliability compared to the pre-existing NT solution?

I'm unsure to what you're referring to. Previously when I was testing
samba, we couldn't change passwords because [among others] new_passwd
in check_oem_password was decoded to be a string of zeros, but I guess
it was a string of stable zeros =)

> > ... I've configured a 'default' logon path ... [then] have an
> > 'include = <path>/%m' ...
>
> I've found that [this] breaks down when including by machine [because]
> each new machine needs to have its own smb.conf.%m file

You only need a smb.conf.%m file for each machine that doesn't use
the default value (ie the value in the mail smb.conf file). As for
<path>/smb.conf.%m, that is simply a symlink to (in our case) ./maths.conf
so the lib directory only has a small number of conf files plus a
directory full of symlinks.

Generating the symlinks shouldn't be a pain though, since you have
to manually add each machine with smbpasswd anyway, so that would
be the good time to create the symlink/file.

In our case we're lucky because the 'alternative' labs are on a
different subnet, thus the symlink can be generated with a statement
like 'root preexec = newmach %I %m', where 'newmach' is a script which
looks at the IP address (%I), determines which subnet its on, then
creates the symlink on behalf of the machine (%m). Good place for
this would be the netlogon share.

Todd Pfaff: (wasn't sent to list, but still quite valid)
> ... you probably know this already but your command:
> ssh -x <server> chpass <username> <pass>
> will be insecure ...

Both the NIS master and the Samba server are decicated machines which
dont allow students to log into them, so no-one would see the arguments
anyway, still ...

My actual implementation would be a sepreate program which is called by
samba:

in smb.conf:
passwd program = change_pass
passwd chat = "*Enter password: %n\n"

change_pass:
#!/bin/env perl
$username=$ARGV[0];
print "Enter password: ";
chomp($password=<STDIN>);
@salt=( 'a'..'z', 'A'..'Z', '0'..'9' );
$salt=$salt[rand($#salt+2)].$salt[rand($#salt+2)];
$cpass=crypt($password,$salt);
system "ssh -x ypserv chpass $username $cpass &";
exit 0;

This solution has two benifits worth mentioning, the new password is
read in from stdin and not from an argument, then hashed, then forwarded
to ypserv to inform the server what unix crypt string to throw into
the user's passwd entry, rather than get the server to do the cryption.

Also this is safe against unsafe passwords (for instance people who use
quote characters in their passwords) since the unix password hash only
contains chars which dont have special meaning to most shells.

Luke Kenneth Casson Leighton:
> > I've been ... implement[ing] a mysql database for passdb ...
>
> you have??? ... is it for cvs-main or 2_0?  cvs-main would be best.

You'll be happy to know that it is built for cvs-main.

Due to the interest I've (literally) thrown up a URL:

http://www-staff.socs.uts.edu.au/~bj/samba/index.html

Here you'll find a context diff file which works with
cvs-main (27/02/99) along with my mysql_convert.pl program which
allows you to swap between file to mysql smbpasswd methods.

I've only coded this on my own without exhaustive consideration for 
other systems, so it may so suffer from system dependant code.

I'm also kind of shy to publish my own code, so be gentle =)

> actually we found that with some unixen the speed was limited by getpwnam
> calls not by private/smbpasswd, which is a bit wierd.

The bold solution to that would be to add fields to smbpasswd so as
that it could totally replace getpwnam calls?

Has the added benifit that you wont need the people to actually exist
on the unix box, just requires access to the user filesystem.

Ciao, semester starts tomorrow and I'm actually doing subjects too,
plus my timetable sucks (just thought I'd add that for the record).

Bj

+-------------------------------+--------------------------------------+
|      Benjamin (Bj) Kuit       |  Faculty Of Mathematical             |
|      Systems Programmer       |          and Computing Sciences.     |
|      Phone: 02 9514 1841      |  University of Technology, Sydney    |
|      Mobile: 0412 182 972     |  bj at mcs.uts.edu.au                   |
+-------------------------------+--------------------------------------+