[Samba] PDC and yppasswd

Andrew Bartlett abartlet at pcug.org.au
Thu Feb 7 02:45:03 GMT 2002 

"Kevin G. J. Freels" wrote:
> 
> Greetings!
> 
> We are testing the implementation of Samba as a PDC as outlined
> in Linux Magazine's "Using Samba as a PDC" by Andrew Bartlett
> (Feb 2002, pg 16). This sounds great since we're actively trying
> to get rid of a certain NT which acts as our PDC, and work
> towards unifying our account namespace and storage environment.
> Fortunately, Samba is assisting with this quite nicely.
> 
> However, in the article, the set up refers to an expect-like
> configuration for passwords in the [global] section:
> 
> [global]
> unix password sync = true
> password program = /usr/bin/passwd %u
> passwd chat = \
>    *password* %n\n \
>    *password* %n\n \
>    *successful*
> 
> However, our UNIX users must use "yppasswd" to change their
> passwords on each local system (really, updating the yp password
> map). Our Samba server is not the same system as our NIS server,
> so passwords must also be changed with yppasswd on that system.
> The yppasswd routine requires *two* entries: the old (or current)
> password, and the new password.
> 
> My question: is there a set up for this? It looks like the
> password chat deals with only one variable, i.e., the old
> password. 

I assume you mean new password.  The example doesn't show the use of
'%o' for old password for the reasons I outline below:

> I have been told that there exists the possibility that
> using plain "passwd" on a yp client will change the yppasswd
> regardless, but I have had time to confirm that. Have NIS issues
> like this one been addressed?

The problem here is that Samba often only gets the 'new password' - it
never gets the old one.  As such it can only do password sync where
either:

 - The local system allows root to change a password without the old
password

or 

 - The old password was supplied.

Most clients (including smbpasswd) don't supply the old password.

As such, your options are to write some 'magic' wrapper that somehow
tells your NIS server that this is a root-based password change (ssh
root at nisserver passwd %u might work) or run Samba's PDC components on
the NIS server.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list