[Samba] RE: Sync passwords unix/smb with FDS backend?

Deas, Jim James.Deas at warnerbros.com
Wed Jan 9 20:52:16 GMT 2008 

Sorry about the acro, I am working with Fedora Directory Server (ldap).
Currently user passwords stored in FDS can be changed from netatalk
(apple protocol), FDS web interface, or unix/passwd via the PAM
interface. To hit all three of these areas I would think that the
password sync would need to somehow be down in FDS.
Looking forward I would like to find an ldap solution. Anything else
will cause additional steps when I add new users to the network.
I will read through pbedit but unless I can trigger it through ldap I
don't know what good it will do.

JD



-----Original Message-----
From: Scott Lovenberg [mailto:scott.lovenberg at gmail.com] 
Sent: Wednesday, January 09, 2008 12:43 PM
To: Ryan Novosielski
Cc: Denis Cardon; samba at lists.samba.org; Deas, Jim
Subject: Re: Sync passwords unix/smb with FDS backend?

Ryan Novosielski wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Denis Cardon wrote:
>> Hi Jim,
>>> Using simple authentication I have been able to tie FDS to Samba
3.x.24.
>>> Knowing that the unix passwd and smb passwd are different, dare I
ask
>>> how difficult it would be to have them sync? Most of my users are
using
>>> netatalk w/ posix user info and MD5 password. I would like to swing
this
>>> over to samba without the worries of two passwords per user. I have
seen
>>> blips on this but not directly related to FDS
>>>   
>> if you store both your samba and your unix password in the ldap, you
can
>> get them in sync by updating both of them when one change its
password.
>> You'll need to update the smb.conf file to take that into account for
>> the windows part, and update your other password changing apps
accordingly.
>>
>> If what you want is in fact getting a NTLM hash from the existing md5
>> hash, I'm afraid it won't be possible. Users will have to change
their
>> password once to update both ntlm and md5 password hash.
> 
> Not entirely true, or at least it wasn't last time I tried this. For
me,
> I used a method that included a PAM module that, on successful auth
> (actually, for HP-UX, any auth, which was unfortunate, since they have
> no 'requisite' directive in PAM), populated the smbpasswd file.
> 
> I don't know what FDS is, but it seems to me you could go this route
and
> then convert the smbpasswd file to whatever you wanted via pdbedit.
> 
> =R
> 
> - --
>  ---- _  _ _  _ ___  _  _  _
>  |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
>  |$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922
(2-0922)
>  \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg -
C630
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFHhStZmb+gadEcsb4RAoxpAJ4ueyjIEKhv+mBdSN+qjVuN4niWfQCgi1NS
> 4K1ZQsfiaFFzoXdqAcFV0xg=
> =l57P
> -----END PGP SIGNATURE-----
> 

Scratch my last message about FDS; I was thinking of Apache Directory 
Server.  FDS is pretty mature.  Sorry about that.

More information about the samba mailing list