[Samba] PAM Module for SMB-LDAP

Buchan Milne bgmilne at cae.co.za
Thu Jan 30 19:13:03 GMT 2003 

Bradley W. Langhorst wrote:
> On Thu, 2003-01-30 at 13:46, Buchan Milne wrote:
> 

>>
>>It really has no relationship to which samba you're running, since this
>>is when changing your password on a unix machine which is not a DC, so
>>you can't (AFAIK) use pam_smbpass, and the machine may have no samba
>>components installed on it anyway.
> 
> I could be mistaken but I believe that the pam_smbpass that comes with
> samba uses native samba calls to change the password.

Well then the docs on it are really stuffed and ambiguous ... but I
would be happy to know that this works ...


From:
samba-2.2.7a/source/pam_smbpass/README

"This module authenticates a local smbpasswd user database.  If you require
support for authenticating against a remote SMB server, or if you're
concerned about the presence of suid root binaries on your system, it is
recommended that you use one of the other two following modules"

I have already determined from Andrew Bartlett that there is ambiguity
in 'smbpasswd user database', as it should be 'samba passdb backend', to
be more clear that LDAP etc is supported in 2.2.7a on the DC.

But it may be out of date:
"25 Mar 2001"

Or maybe works better on samba3 ...

> 
> Really - this does work on my setup
> i've just tested it by changing my password like this on the command
> line
>  passwd bwlang
> New UNIX password:
> BAD PASSWORD: it is based on a dictionary word
> Retype new UNIX password:
> LDAP password information changed for bwlang
> passwd: password updated successfully
> 
> now when i log in to an xp machine (joined to the samba pdc)
> i must use the new password
> 
> here's what my auth.log says...
> Jan 30 13:49:22 bitc PAM_unix[29461]: username [bwlang] obtained
> Jan 30 13:49:22 bitc PAM_unix[29461]: Password for bwlang was changed
> Jan 30 13:49:22 bitc PAM_smbpass[29461]: username [bwlang] obtained
> Jan 30 13:49:22 bitc PAM_smbpass[29461]: password for (bwlang/603)
> changed by (root/0)
> 
> 
> 
>>AFIAK, the only way around this is a hacked pam_ldap which changes
>>ntpasswd and lmpasswd, there is one around somewhere ...
> 
> maybe I'm using that hacked pam_ldap but I don't remember installing
> it...
> 

You can check:

$ strings /lib/security/pam_ldap.so |grep -i ntpassword

For example:
[bgmilne at bgmilne wxgps]$ strings /lib/security/pam_ldap.so |grep -i \
userpassword
userPassword

> am i smoking crack here? seems to work.

We'll find out ...

Buchan

-- 
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7

More information about the samba mailing list