[Samba] Re: [GLUG] Samba password changes?
abartlet at samba.org
Fri Oct 11 12:49:01 GMT 2002
Buchan Milne wrote:
> Adriaan.Putter at aventis.com wrote:
> > hi,
> > i've setup a LDAP server with account information,
> > and compiled samba with ldap support.
> > everything works great, except for the password changes
> > i still have to run two seprate commands ( passwd, smbpasswd )
> > to change a users password.
> > i've tried to put the pam_smbpasswd.so module into
> > system-auth, but that does work?
> No, pam_smbpasswd is meant for modifying the smbpasswd file, it doesn't
> do anything else.
> I found the best solution was to use:
> unix password sync = yes
> pam password change = yes
> passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n
> (not sure if the passwd chat is necessary)
> and then modify your /etc/pam.d/passwd to do password changes via LDAP.
> This ensures that password changes from samba apply the same rules that
> any other password change would apply.
> Only problem I have now is if a user does a unix password change, it
> currently won't change their windows password, but I believe there is a
> hacked pam_ldap which will do that too.
> (I have some issues with the idealx stuff, but it should all work out
> the box on recent Mandrake RPMs).
You seem to be in a bit of a mess here...
pam_smbpass uses Samba's passdb backend to communicate with smbpasswd,
or Samba's LDAP backend. It allows the full range of operations
normally available on /etc/shadow: checking and changing passwords,
both as root and a normal user.
This should allow you to keep just one password database, and not use
/etc/shadow. Or you can keep then both in sync, by listing both in your
The other thing mentationed here (unix password sync) is a way to sync
incoming remote password changes with 2 sources, the smbpasswd file/LDAP
equiv and some 'unix' password system. This only matters if you keep
the unix password file - you may be better to use pam_smbpass and just
A third option is with Samba 3.0, we have 'ldap password sync', this
sets the userPassword attriubute in LDAP via an extended operation, and
lets you aim pam_ldap at your LDAP DB.
A forth option (again 3.0) is to run winbindd on your PDC, set 'winbind
use default domain and use pam_winbind.
In any case, there is certainly plenty of solutions here...
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba