[Samba] Automatically running a script on Samba PDC when Windows user changes his password

Edmundo Valle Neto edmundo.valle at terra.com.br
Fri Aug 24 01:02:08 GMT 2007


Felip Manyé escreveu:
> Hello,
>   

Hello.

> I've installed a Samba 3 PDC using LDAP authentication, along with the
> smbldap tools, on Ubuntu GNU/Linux. Everything works fine and (XP Pro)
> Windows clients can join my domain.
> I would like Samba to automatically run a (home made) script on the PDC
> server when the user changes his password on his machine in order to update
> it on other servers (for instance our mail server uses another LDAP for
> authentication, but there are still many accounts of this kind), so that the
> user has to remember only one password for all these applications.
> I've already had a look at the "passwd program" line in my smb.conf file. By
> default it was commented like this:
>
> #passwd program = /usr/sbin/smbldap-passwd ?u %u
>   

Its "-u" not "?u".

> and "ldap passwd sync" is set to Yes (which seems quite sensible since I use
> LDAP authentication).
>   

These options serve to similar purposes.
"ldap passwd sync" works alone.
"unix password sync" works executing "passwd program" with "passwd chat"
to sync the unix password.

With LDAP just setting "ldap password sync" is enough and when "unix
password sync" is set to no, the other options aren't used.

So, you can set "unix password sync" and put another script (it wasn't
made for that purpose, but works).
Or turn off "ldap password sync" and use "unix password sync" with a
changed smbldap-tools script, that does what it already does plus what
you want it to do.

> The matter is that I was unable to use this line to automatically run a
> script as explained above. As an example I've tried to create a file (in a
> directory with 777 permissions) with the "touch" command (passwd program =
> touch mydirectory/myfile), but it has no effect.

This script is executed by root, doesn't make much difference the
permissions assigned to others. The script cannot be executed as a
normal user.

> I may not have correctly
> understood this feature, or maybe it cannot be used with LDAP
> authentication.
>   

If you didnt had "unix password sync = yes" it will not execute, I just
don't know what would be the behavior of samba if the command or script
that you put in there begins to write things to stdout or stderr.

> Do you know whether this kind of trick is possible, and if so how to achieve
> it ?
>
> Thanks in advance,
>
> Felip.
>   

Take a look at the man page of smb.conf, theres some details to make a
"passwd program" work, it should honor the password chat too and will
ever be executed as root.

I use something like that (changing the smbldap-tools script) to sync
digest hashes for authentication trough squid digest ldap helper.


Regards.

Edmundo Valle Neto



More information about the samba mailing list