[Samba] smbpasswd + ldap questions
ichbin at shadlen.org
Mon Jun 24 00:24:03 GMT 2002
I would like to have sync'd Unix and Samba passwords. My Unix passwords
are stored in OpenLDAP for uniformity across machines and services. I
have some problems with the standard solutions to this problem though:
* if I have Samba authenticate from OpenLDAP directly (using the
smbPassword attribute), then I get sync'ing problems when the password
is changed via normal Unix means. We are primarily a Unix shop; I cannot
force my users to change passwords always via Samba. Also, I would
really prefer to stay within the PAM universe, not merely because of its
elegance, but also because it allows me to do very flexible, additional
checks (e.g. pam_cracklib).
* keeping Samba passwords in smbpasswd and using pam_smbpasswd to auth
and sync would be perfect -- except that my users don't work on my file
server, so no PAM stack there would ever be executed (I guess I could
put smb_passwd in the PAM stack of netatalk, which runs from that
machine, but demanding that users mount thei home directory via
Appletalk in order to sync their Samba passwords seems rather bizarre).
Even if I were to run Samba on a user machine, the smbpasswd file would
only be updated if the user happened to run passwd on THAT machine.
What I really want is either:
* that pam_smbpasswd be able to update the smbpasswd file on ANOTHER
computer. Say on the file server via smb. Is this actually possible and
I've just missed it? If so, how do I configure that? Or...
* a "pam_smbldap" module that does what pam_smbpasswd does, but uses an
LDAP backend in place of the smbpasswd file. I actually looked at the
pam_smbpasswd code to see if this would be easy to implement. The code
is very straightforward, but unfortunately this is because it hides all
of the actual work in calls to Samba libraries. Has someone with more
unserstanding of the Samba internals perhaps already undertaken the
production of a "pam_smbldap" module?
More information about the samba