Samba-based password synchronization

Paul L. Lussier plussier at ne.arris-i.com
Fri Oct 15 19:31:07 GMT 1999 

In a message dated: Sat, 16 Oct 1999 04:26:06 +1000
"Norm Long" said:

>Greetings to all once again,
>
>This is request for help message number 2.   I have a hpux 10.20 machine
>that is NOT TRUSTED that is there are passwords in the /etc/password file.

Oh, so does "TRUSTED" in HP-PUX land mean you use shadow passwords?

>I'm trying to authenticate winnt 4.0 and win95 clients to this server.  I
>have added the following parameters to my smb.conf file:
>
>encrypt passwords = yes
>smb passwd file  = /usr/local/samba/private/smbpasswd
>
>I have created the smbpasswd using the command cat /etc/passwd |
>mksmbpasswd.sh > /usr/local/samba/private/smbpasswd.
>
>>From what I understand once this smbpasswd file has been created and samba
>has been restarted (inetd -c for me) windows users can change their
>passwords and the smbpasswd file is updated.  The question is HOW DO I GET
>PASSWORDS INTO THE SMBPASSWD FILE?  I would rather have the users set and
>control their passwords and I would prefer the users not have to log into
>the unix machine and create there password using the smbpasswd command.  Is
>it necessary for the users to use the smbpasswd command to first set their
>passwords on the hpux 10.20 box?   

What I would suggest, and this is tedious, but it's also secure, and faster 
than anything else, is this.  Write a script which uses the 'mkpasswd' command 
(which comes with tcl/tk) to generate good passwords then for each user, write 
that password into a file with the users login name (make 0600 for security 
purposes) and also have it run the password through smbpasswd.  Then send out 
an e-mail telling all users that they have to come and see you personally in 
order to get their password. 

Also, write a script that generates output listing the user name/password and 
any other new directions you want to provide to them (including pointers to 
your internal website with hopefully has all the directions :)

When users come you office, run the script with the user name as an argument, 
and pipe the output to the lpr command to print the data out to the nearest 
printer and tell the user to go get it.

If you have more than 10 people you need to set up accounts for, this method 
works quite well.  We just did this when migrating mail systems from a 
corporate system to our own.  It guaranteed that you got to see everyone, no 
one has their password insecurely sitting around in an e-mail, and since it's 
a "good" password, most people will change them immediately, since they hate 
the one you provided, instantly making your copy in the file obsolete, and no 
longer a security risk :)


>And how can the users change their passwords from the windows95 and winnt side?

Once you have Samba properly configured to sync passwords, they can just 
change the passwords from their Win systems by using the Control-panel->
passwords program.

>Any and all responses welcome, thanks to all in advance!!!!

Hope this helps.


-- 

Seeya,
Paul
----
	    Depression is merely anger without enthusiasm.
     There cannot be a crisis today; my schedule is already full.
  A conclusion is simply the place where you got tired of thinking.
	 If you're not having fun, you're not doing it right!

More information about the samba mailing list