[Samba] Re: Sync passwords unix/smb with FDS backend?

[Ryan Novosielski]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The PAM module I mentioned is not for sync, really, but for initial
migration from /etc/passwd to an NT-hashed password store (in smbpasswd
format).

If you're trying to sync passwords (a person has accounts in both places
with working passwords on both sides already and just wants them both to
change at the same time), then there are other ways to handle this natively.

Deas, Jim wrote:
> Sorry about the acro, I am working with Fedora Directory Server (ldap).
> Currently user passwords stored in FDS can be changed from netatalk
> (apple protocol), FDS web interface, or unix/passwd via the PAM
> interface. To hit all three of these areas I would think that the
> password sync would need to somehow be down in FDS.
> Looking forward I would like to find an ldap solution. Anything else
> will cause additional steps when I add new users to the network.
> I will read through pbedit but unless I can trigger it through ldap I
> don't know what good it will do.
> 
> JD
> 
> 
> 
> -----Original Message-----
> From: Scott Lovenberg [mailto:scott.lovenberg at gmail.com] 
> Sent: Wednesday, January 09, 2008 12:43 PM
> To: Ryan Novosielski
> Cc: Denis Cardon; samba at lists.samba.org; Deas, Jim
> Subject: Re: Sync passwords unix/smb with FDS backend?
> 
> Ryan Novosielski wrote:
> Denis Cardon wrote:
>>>> Hi Jim,
>>>>> Using simple authentication I have been able to tie FDS to Samba
>> 3.x.24.
>>>>> Knowing that the unix passwd and smb passwd are different, dare I
>> ask
>>>>> how difficult it would be to have them sync? Most of my users are
>> using
>>>>> netatalk w/ posix user info and MD5 password. I would like to swing
>> this
>>>>> over to samba without the worries of two passwords per user. I have
>> seen
>>>>> blips on this but not directly related to FDS
>>>>>   
>>>> if you store both your samba and your unix password in the ldap, you
>> can
>>>> get them in sync by updating both of them when one change its
>> password.
>>>> You'll need to update the smb.conf file to take that into account for
>>>> the windows part, and update your other password changing apps
>> accordingly.
>>>> If what you want is in fact getting a NTLM hash from the existing md5
>>>> hash, I'm afraid it won't be possible. Users will have to change
>> their
>>>> password once to update both ntlm and md5 password hash.
> Not entirely true, or at least it wasn't last time I tried this. For
>> me,
> I used a method that included a PAM module that, on successful auth
> (actually, for HP-UX, any auth, which was unfortunate, since they have
> no 'requisite' directive in PAM), populated the smbpasswd file.
> 
> I don't know what FDS is, but it seems to me you could go this route
>> and
> then convert the smbpasswd file to whatever you wanted via pdbedit.
> 
> =R
> 
>>

> Scratch my last message about FDS; I was thinking of Apache Directory 
> Server.  FDS is pretty mature.  Sorry about that.


- --
 ---- _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHhTVgmb+gadEcsb4RAqMjAJ0WTEmNaf0Ch45Sxdds/zRYoYDZowCfaX/A
9Np+27j7yavYzSD2FeJWA00=
=FOhp
-----END PGP SIGNATURE-----