[Samba] Re: [GLUG] Samba password changes?

Andrew Bartlett abartlet at samba.org
Fri Oct 11 12:49:01 GMT 2002

Buchan Milne wrote:
> Adriaan.Putter at aventis.com wrote:
> > hi,
> >
> > i've setup a LDAP server with account information,
> > and compiled samba with ldap support.
> >
> > everything works great, except for the password changes
> > i still have to run two seprate commands ( passwd, smbpasswd )
> > to change a users password.
> >
> > i've tried to put the pam_smbpasswd.so module into
> > system-auth, but that does work?
> >
> No, pam_smbpasswd is meant for modifying the smbpasswd file, it doesn't
> do anything else.
> I found the best solution was to use:
> unix password sync = yes
> pam password change = yes
> passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n
> *LDAP*passwd:*all*authentication*tokens*updated*successfully*
> (not sure if the passwd chat is necessary)
> and then modify your /etc/pam.d/passwd to do password changes via LDAP.
> This ensures that password changes from samba apply the same rules that
> any other password change would apply.
> Only problem I have now is if a user does a unix password change, it
> currently won't change their windows password, but I believe there is a
> hacked pam_ldap which will do that too.
> (I have some issues with the idealx stuff, but it should all work out
> the box on recent Mandrake RPMs).

You seem to be in a bit of a mess here...

pam_smbpass uses Samba's passdb backend to communicate with smbpasswd,
or Samba's LDAP backend.  It allows the full range of operations
normally available on /etc/shadow:  checking and changing passwords,
both as root and a normal user.

This should allow you to keep just one password database, and not use
/etc/shadow.  Or you can keep then both in sync, by listing both in your
PAM configuration.

The other thing mentationed here (unix password sync) is a way to sync
incoming remote password changes with 2 sources, the smbpasswd file/LDAP
equiv and some 'unix' password system.  This only matters if you keep
the unix password file - you may be better to use pam_smbpass and just
use one.

A third option is with Samba 3.0, we have 'ldap password sync', this
sets the userPassword attriubute in LDAP via an extended operation, and
lets you aim pam_ldap at your LDAP DB.

A forth option (again 3.0) is to run winbindd on your PDC, set 'winbind
use default domain and use pam_winbind.  

In any case, there is certainly plenty of solutions here...

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list