[Samba] Making Samba change the Unix Password (/etc/shadow)

Parag Kalra paragkalra at gmail.com
Wed Feb 6 19:10:12 GMT 2008 

Hello Adam,

How can a samba user login into Windows Machine and be able to change the
password?

Do we need to create the samba user locally on windows machine?

Or do we need to specify "security=domain" or "security=ad" on the Samba
Server?

Thanks and Regards,
Parag Kalra

On Feb 6, 2008 8:40 PM, Adam Williams <awilliam at mdah.state.ms.us> wrote:

>  if you have
>
> unix password sync = Yes
>
>
> and your passwd program = and passwd chat = lines set correctly, in XP, a
> user will hit ctrl alt del and click on change password, and put in their
> old and new password, and then samba will write their new password to
> /etc/samba/smbpasswd and then run the passwd program to change the user's
> linux shell password.  i don't think you'll need to do anything special and
> pam for that.  i didn't with out of the box fedora and centos installations
> anyway.
>
>
> Parag Kalra wrote:
>
> Hello all,
>
> I am getting confused?
>
> Is it possible to reflect the changes made in /etc/passwd on
> /etc/samba/smbpasswd or is it vice versa?
>
> What exactly does " unix password sync = Yes " do ?
>
> Also I found a work around from following URL:http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id431902
>
> I don't know where to place the following entry:
>
> [#%PAM-1.0
> # password-sync
> #
> auth       requisite    pam_nologin.so
> auth       required     pam_unix.so
> account    required     pam_unix.so
> password   requisite    pam_cracklib.so retry=3
> password   requisite    pam_unix.so shadow md5 use_authtok try_first_pass
> password   required     pam_smbpass.so nullok use_authtok try_first_pass
> session    required     pam_unix.so]
>
> Do I need to need to create a new file "/etc/pam.d/"? If yes then by
> what name and what all services do I need to run apart from smb?
>
> Thanks and Regards,
> Parag Kalra
>
>
> On 2/5/08, Adam Williams <awilliam at mdah.state.ms.us> <awilliam at mdah.state.ms.us> wrote:
>
>
>  this is my passwd chat for RHEL:
>
> passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
>
> Parag Kalra wrote:
>
>
>  I am using RHEL 4 U5.
>
> The enteries under concern are:
>
> unix password sync = Yes
>
> passwd program = /usr/bin/passwd %u
>
> passwd chat = "*enter old password*" %o\\n "*Enter NEW password*" %n\\n
> "*reenter New passwd*" %n\\n "*password changed*"
>
> username map = /etc/samba/smbusers
>
> Also to view the entire file please see the attachment.
> --
> Parag Kalra
>
> On Feb 5, 2008 5:37 AM, Rubin Bennett <rbennett at thatitguy.com> <rbennett at thatitguy.com> wrote:
>
>
>
>
>  Ok, I assume that your system does have a pam auth subsystem?
>
> What distro are you on, and may we see your smb.conf (you can omit the
> share definitions)?
>
> Rubin
> On Tue, 2008-02-05 at 05:26 +0530, Parag Kalra wrote:
>
>
>
>  Yes I have restarted smb but still no fruits.
>
> Also placing "passwd chat debug = yes" didn't generate any log
> in /var/log/samba/smd.log
>
> Could anyone please explain the following:
>
> [If you want to keep using passwd instead of PAM, could you write a
> wrapper/replacement for passwd that logs everything that happens?]
>
> --
> Parag Kalra
>
> On Feb 5, 2008 5:11 AM, Rubin Bennett <rbennett at thatitguy.com> <rbennett at thatitguy.com> wrote:
>         Did you restart samba (/etc/init.d/smb restart)?
>
>         You need to at least do a reload (/etc/init.d/smb reload) for
>         config
>         file changes to be read.
>
>         Rubin
>
>
>         On Tue, 2008-02-05 at 08:09 +0900, Michael Heydon wrote:
>         > Parag Kalra wrote:
>         > > Hi Rubin,
>         > >
>         > > I made the changes suggested by you but still its not
>         working.
>         > >
>         > > --
>         > > Parag Kalra
>         > >
>         > > On Feb 5, 2008 3:29 AM, Rubin Bennett
>         <rbennett at thatitguy.com> <rbennett at thatitguy.com> wrote:
>         > >
>         > >
>         > >> On Tue, 2008-02-05 at 02:26 +0530, Parag Kalra wrote:
>         > >>
>         > >>> Hello all,
>         > >>>
>         > >>> I am trying to change the linux login password through
>         the smbpasswd
>         > >>> command by placing following  parameters in smb.conf
>         file:
>         > >>>
>         > >>> unix password sync = Yes
>         > >>> passwd program = /usr/bin/passwd %u
>         > >>> passwd chat = "*enter old password*" %o\\n "*Enter NEW
>         password*"
>         > >>> %n\\n "*reenter New passwd*" %n\\n "*password changed*"
>         > >>>
>         > >>>
>         > >> testparm is your friend :)  It should complain about the
>         passwd command,
>         > >> and for good reason; it shouldn't be there.  Use:
>         > >> pam password change = yes
>         > >> instead, and get rid of the passwd program and passwd
>         chat lines.
>         > >>
>         > >>
>         > PAM is far from universal, there are plenty of OSes and
>         distros that do
>         > not include PAM. The man page doesn't say anything about
>         passwd program
>         > being depreciated, why would testparm complain about it?
>         >
>         > Are you getting anything in the logs when trying to reset
>         the password?
>         > Have you tried enabling passwd chat debug (you may have to
>         up your log
>         > level as well)? If you want to keep using passwd instead of
>         PAM, could
>         > you write a wrapper/replacement for passwd that logs
>         everything that
>         > happens?
>         > >> HTH,
>         > >> Rubin
>         > >>
>         > >>
>         > >
>         >
>         > *Michael Heydon - IT Administrator *
>         > michaelh at jaswin.com.au <mailto:michaelh at jaswin.com.au> <michaelh at jaswin.com.au>
>
>         --
>
>         Rubin Bennett
>         RB Technologies
>         http://thatitguy.com
>         rbennett at thatitguy.com
>         (802)223-4448
>
>         "They that can give up essential liberty to obtain a little
>         temporary security deserve neither liberty nor safety"
>          --Benjamin Franklin, Historical Review of Pennsylvania, 1759
>
>
>
>
>
>
> --
> Love,
> PARAG . A . KALRA
>
> Good judgment comes from experience, and experience comes from bad
> judgment
> http://discoverlinux.blogspot.com
> Debian Linux! A Dawn of New Era!
>
>
>
>  --
> Rubin Bennett
> RB Technologieshttp://thatitguy.comrbennett@thatitguy.com
> (802)223-4448
>
> "They that can give up essential liberty to obtain a little
> temporary security deserve neither liberty nor safety"
>  --Benjamin Franklin, Historical Review of Pennsylvania, 1759
>
>
>
>
>
>
>


-- 
Love,
PARAG . A . KALRA

Good judgment comes from experience, and experience comes from bad judgment

http://discoverlinux.blogspot.com
Debian Linux! A Dawn of New Era!

More information about the samba mailing list