[Samba] Samba PDC and Passwords

Christopher Odenbach odenbach at hni.upb.de
Tue Jul 8 13:38:07 GMT 2003 

Hi,

> I have a dilemma here about the user accounts.
>
> We have all the accounts at a NIS server. My samba PDC is another
> machine (different from the NIS server). What are my options for
> managing the accounts?
>
> 1) Central management (LDAP)

Yes

> 2) Keep different password files (passwd/smbpasswd)

Yes

> Are there any different options??

Don't think so.

> If I use the second option (2 - keep different password files), can I
> sync the passwords from Unix to Samba and vice versa?

Easily only vice versa. :-)

In Details:

unix crypt and windows crypt are different. But they are both one-way 
hashes. So if you want to change both passwords at the same time, you 
will have to get access to the clear text password to do the encryption.

If someone changes his unix password the password is encrypted using 
unix crypt() on the client machine, then transfered to the NIS master 
(I think). So it is not possible to install anything central at the nis 
master.

The other way works better: When you change a windows password, the new 
password (but not the old one) is somehow transfered in clear text to 
the server (maybe it gets somewhat encrypted for the transport, but the 
server finally gets the clear text password). Search the archive for my 
post about this (keyword would be passwdHK.dll).

If you want to use the samba server as pdc, password changes via 
smbpasswd go there. You can use the smb.conf settings

unix password sync = yes
passwd chat = [...]
passwd program = [...]

to set the password on the unix side. BUT: samba calls the passwd 
program as root and expects to be able to change the user's password 
without knowing the old one. So normally the samba server has to run on 
the NIS master server.

So if your nis master is != your samba server, write a script that can 
run on your samba server and that is able to change a user's unix 
password without knowing the old one. We have such a thing running to 
synchronize the windows password (from a W2K Server) to our NIS master.

Hope that helps,

Christopher

-- 
======================================================
    Dipl.-Ing. Christopher Odenbach
    HNI Rechnerbetrieb
    odenbach at uni-paderborn.de
    Tel.: +49 5251 60 6215
======================================================

More information about the samba mailing list