ANNOUNCE: pam_pwexport, Unix->SMB password changes

Peter Samuelson peter at
Tue Jun 13 12:06:48 GMT 2000

[[posted to samba-ntdom and samba-technical]]

More than one user has recently asked about Unix->Samba password sync.

You can go the *other* direction with those chat options in smb.conf,
and Samba even has an option `update encrypted' for using cleartext
passwords and populating the smbpasswd file when people change them.

But when a user executes `passwd' or `yppasswd' on the Unix system,
Samba has no way of knowing, so your NT password gets out of sync.

Until now.

For all you out there who use PAM-enabled Unix systems (that means most
flavors of Linux and Solaris, and recently HP-UX, and possibly others I
don't know about), you may wish to give this a shot:

It sits and snoops whenever a user enters or changes a password through
PAM, and sends the passwords off to be processed by an arbitrary
PAM-unaware executable.  That means:

* For all logins (ftp, ssh, telnet, pop3, etc) you can grab the
  password and use it to populate your local smbpasswd file.  This is
  akin to the smb.conf `update encrypted' option, useful for migration
  from a Unix environment to a mixed Unix/NT environment.

* For Unix password changes, you get both the old and new password, so
  you can either do the above, or update an NT domain controller (or
  remote Samba domain controller).  Assuming your NIS domain controller 
  is PAM-aware, this should work for `yppasswd' as well.  (Untested.)

* Although I wrote it with Samba in mind, it is by no means specific to
  smbpasswd; other similar "password migration" scenarios should work
  just as well.

Like most PAM modules, it's not very hard to set up.  Included is an
example glue script for making it work with smbpasswd.

BUT: It's a 0.0 release and has only been tested on Linux-PAM.  It may
work on the other Unices, but I don't have Solaris and I haven't gotten
a chance to test on HP-UX yet.  It's also missing some error checking
and other polish.  (I'll gladly take patches.)

ALSO: pam_pwexport won't work properly without a small patch, included,
to fix a bug in Linux-PAM 0.72.

Enjoy.  I did.  (PAM modules are much easier to write than you think.)


More information about the samba-technical mailing list