[Samba] Re: [GLUG] Samba password changes?

Buchan Milne bgmilne at cae.co.za
Fri Oct 11 13:42:01 GMT 2002

Andrew Bartlett wrote:
> Buchan Milne wrote:
>>Adriaan.Putter at aventis.com wrote:
>>>i've setup a LDAP server with account information,
>>>and compiled samba with ldap support.
>>>everything works great, except for the password changes
>>>i still have to run two seprate commands ( passwd, smbpasswd )
>>>to change a users password.
>>>i've tried to put the pam_smbpasswd.so module into
>>>system-auth, but that does work?

The funny thing about this thread is that pam_smbpasswd shouldn't really 
affect what happens when a user changes their password via samba ...

Adriaan, if you haven't sorted this out, what are you aiming at doing? 
Just keeping the unix and samba password in LDAP in sync from a password 
change via samba, or is it more complex than that?

>>No, pam_smbpasswd is meant for modifying the smbpasswd file, it doesn't
>>do anything else.
>>I found the best solution was to use:
>>unix password sync = yes
>>pam password change = yes
>>passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n
>>(not sure if the passwd chat is necessary)
>>and then modify your /etc/pam.d/passwd to do password changes via LDAP.
>>This ensures that password changes from samba apply the same rules that
>>any other password change would apply.
>>Only problem I have now is if a user does a unix password change, it
>>currently won't change their windows password, but I believe there is a
>>hacked pam_ldap which will do that too.
>>(I have some issues with the idealx stuff, but it should all work out
>>the box on recent Mandrake RPMs).
> You seem to be in a bit of a mess here...
> pam_smbpass uses Samba's passdb backend to communicate with smbpasswd,
> or Samba's LDAP backend.  It allows the full range of operations
> normally available on /etc/shadow:  checking and changing passwords,
> both as root and a normal user.

The documentation doesn't reflect that, unless you make assumptions 
about what smbpasswd means ... and previous comments on samba at samba.org 
on it implied it only worked with the smbpasswd file backend.

And (AFAIK) it only solves password changes which occur on a/the DC, the 
  problem remains with users changing passwords from unix client 
machines, only their unix password will be changed, they will have to 
manually change their windows password.

Or am I missing something?

> This should allow you to keep just one password database, and not use
> /etc/shadow.  Or you can keep then both in sync, by listing both in your
> PAM configuration.
> The other thing mentationed here (unix password sync) is a way to sync
> incoming remote password changes with 2 sources, the smbpasswd file/LDAP
> equiv and some 'unix' password system.  This only matters if you keep
> the unix password file - you may be better to use pam_smbpass and just
> use one.

Well, 'pam password change' with pam_ldap allows you to keep LDAP 
passwords in sync, and there are some things (phpgroupware for one) 
which can authenticate by LDAP but not by pam (so pam_smb is out of the 

> A third option is with Samba 3.0, we have 'ldap password sync', this
> sets the userPassword attriubute in LDAP via an extended operation, and
> lets you aim pam_ldap at your LDAP DB.
> A forth option (again 3.0) is to run winbindd on your PDC, set 'winbind
> use default domain and use pam_winbind.

Do you mean running winbind on the unix clients?

Then you have uid mismatches, so you can't use NFS? Or is there a way to
keep the winbind rid/uid/gid mapping consistent between machines?

> In any case, there is certainly plenty of solutions here...

But the only way to address users on unix clients changing their 
password is with a hacked up pam_ldap that will change ntPassword and 


|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7

More information about the samba mailing list