[Samba] looking for a pam_smbpass user to answer passwd sync issues

Ryan Novosielski novosirj at umdnj.edu
Thu Jan 10 18:27:55 GMT 2008

Hash: SHA1


The only advantage that pam_smbpass gives you over the built-in LDAP
methods is that it allows the passwords to be migrated WITHOUT a
password change (successful auth is enough to trigger the migration in a
properly configured PAM setup).

If you are planning to force every user to change their password in
order to be migrated, there is no need to use pam_smbpass are there are
better LDAP built-in tools to accomplish the same thing (that will not
require you to jump through the additional hurdle of importing the
newly-created smbpasswd file to LDAP).

In my case, it was unacceptable to make 10,000 students change their
passwords to get them into the smbpasswd file. What we did (note, we
were actually using smbpasswd at that time, so it was the obvious
choice) is to use the migrate argument (or whatever it is called -- the
docs mention it) in order to migrate them into smbpasswd when they
logged into our lab next. After a few months we were confident everyone
made it in, and we pulled the trigger on using that passdb instead of
the unencrypted use of /etc/passwd.

Is this clearer now?

Deas, Jim wrote:
> I need to let my users change their password using PAM to preserve the
> existing ldap authentication system. How can I force pam to sync the smb
> password to the unix one.
> I am running Fedora 7 package on an x86-64 system. I have smb working
> via ldap and sambasam.schema (v3.0.24) I have unix password sync = yes
> but it should not come into play as I never plan to reset passwords via
> smbd.
>  In '/etc/pam.d/system-auth' I was trying to use pam_smbpass.so
> The original pam script for password had
> password          sufficient           pam_ldap.so use_authtok
> I changed it to:
> password          requisite            pam_ldap.so use_authtok
> password         required            pam_smbpass.so use_authtok
> try_first_pass
> The problem is I get a token manipulation error. Am I using it wrong?
> What would be even better is if someone knows how to do this directly in
> Fedora DS so all avenues of changing the password would change both.
> Apparently smbpasswd depends on smbd running so that is not an option. I
> don't know if pdbedit could do it or be launched as a script directly
> from the directory server.

- --
 ---- _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list