[Samba] RE: Sync passwords unix/smb with FDS backend?
James.Deas at warnerbros.com
Wed Jan 9 21:56:02 GMT 2008
That is close. We have several hundred unix accounts used by our Mac
clients via pam/ldap authentication.
Here is the scenario. Consider 300 Macs tired of native file services
and willing to use smb. I can't move them all in one year much less one
weekend. Their account/password must be valid for both realms. Currently
no password or user data exist for the smb side. In small systems I
could run smbpasswd -a <macuser> for all users but that does not address
future password issues. It is also an additional step when adding users
to the system.
What would be slick is an ldap launched app that changed the smbpassword
whenever the unix one was changed. Same thing with a new unix user.
From: Ryan Novosielski [mailto:novosirj at umdnj.edu]
Sent: Wednesday, January 09, 2008 12:58 PM
To: Deas, Jim
Cc: Scott Lovenberg; Denis Cardon; samba at lists.samba.org
Subject: Re: Sync passwords unix/smb with FDS backend?
-----BEGIN PGP SIGNED MESSAGE-----
The PAM module I mentioned is not for sync, really, but for initial
migration from /etc/passwd to an NT-hashed password store (in smbpasswd
If you're trying to sync passwords (a person has accounts in both places
with working passwords on both sides already and just wants them both to
change at the same time), then there are other ways to handle this
Deas, Jim wrote:
> Sorry about the acro, I am working with Fedora Directory Server
> Currently user passwords stored in FDS can be changed from netatalk
> (apple protocol), FDS web interface, or unix/passwd via the PAM
> interface. To hit all three of these areas I would think that the
> password sync would need to somehow be down in FDS.
> Looking forward I would like to find an ldap solution. Anything else
> will cause additional steps when I add new users to the network.
> I will read through pbedit but unless I can trigger it through ldap I
> don't know what good it will do.
> -----Original Message-----
> From: Scott Lovenberg [mailto:scott.lovenberg at gmail.com]
> Sent: Wednesday, January 09, 2008 12:43 PM
> To: Ryan Novosielski
> Cc: Denis Cardon; samba at lists.samba.org; Deas, Jim
> Subject: Re: Sync passwords unix/smb with FDS backend?
> Ryan Novosielski wrote:
> Denis Cardon wrote:
>>>> Hi Jim,
>>>>> Using simple authentication I have been able to tie FDS to Samba
>>>>> Knowing that the unix passwd and smb passwd are different, dare I
>>>>> how difficult it would be to have them sync? Most of my users are
>>>>> netatalk w/ posix user info and MD5 password. I would like to
>>>>> over to samba without the worries of two passwords per user. I
>>>>> blips on this but not directly related to FDS
>>>> if you store both your samba and your unix password in the ldap,
>>>> get them in sync by updating both of them when one change its
>>>> You'll need to update the smb.conf file to take that into account
>>>> the windows part, and update your other password changing apps
>>>> If what you want is in fact getting a NTLM hash from the existing
>>>> hash, I'm afraid it won't be possible. Users will have to change
>>>> password once to update both ntlm and md5 password hash.
> Not entirely true, or at least it wasn't last time I tried this. For
> I used a method that included a PAM module that, on successful auth
> (actually, for HP-UX, any auth, which was unfortunate, since they have
> no 'requisite' directive in PAM), populated the smbpasswd file.
> I don't know what FDS is, but it seems to me you could go this route
> then convert the smbpasswd file to whatever you wanted via pdbedit.
> Scratch my last message about FDS; I was thinking of Apache Directory
> Server. FDS is pretty mature. Sorry about that.
---- _ _ _ _ ___ _ _ _
|Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II
|$&| |__| | | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba