[Samba] looking for a pam_smbpass user to answer passwd sync issues

Deas, Jim James.Deas at warnerbros.com
Thu Jan 10 20:19:34 GMT 2008


Ryan,
 Wish I could say yes but no, not clear. My existing users are all Mac
OSX clients using the netatalk package. Netatalk uses the PAM system to
authenticate. I have the ldap modules in pam.d setup to use the LDAP
posix structure for netatalk authentication.
The issue is how to create and sync a smbpassword to the the exisiting
LDAP/POSIX structure. I am half way there by adding the new
sambaSam.schema to the LDAP system. I can now create a user with the
standard smbpasswd program and authenticate them into a smb share.

I don't mind telling the users that they need to change their password
to gain access to the new smb services so a migration script is not
needed. From what I understand there is no way to take the MD5 unix
password and convert it to smb anyhow.

Best Option, find a way to make Fedora DS run a script that updates the
users smb data including syncing the password when changes to the posix
structure happen.

Second Option, find a way to make pam.d execute both the passwd and
smbpasswd processes for password changes. This is second choice as some
of the Fedora DS tools would not be usefull.

I do not need to sync the other way around (smb->(md5)posix). I will not
authenticate WinX workstations with this system. Only smb disk share
authentication via smbd. So in a sense, the PDC is only used by the
several samba instances to authenticate disk shares.

JD
 

-----Original Message-----
From: Ryan Novosielski [mailto:novosirj at umdnj.edu] 
Sent: Thursday, January 10, 2008 10:28 AM
To: Deas, Jim
Cc: samba at lists.samba.org
Subject: Re: [Samba] looking for a pam_smbpass user to answer passwd
sync issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jim,

The only advantage that pam_smbpass gives you over the built-in LDAP
methods is that it allows the passwords to be migrated WITHOUT a
password change (successful auth is enough to trigger the migration in a
properly configured PAM setup).

If you are planning to force every user to change their password in
order to be migrated, there is no need to use pam_smbpass are there are
better LDAP built-in tools to accomplish the same thing (that will not
require you to jump through the additional hurdle of importing the
newly-created smbpasswd file to LDAP).

In my case, it was unacceptable to make 10,000 students change their
passwords to get them into the smbpasswd file. What we did (note, we
were actually using smbpasswd at that time, so it was the obvious
choice) is to use the migrate argument (or whatever it is called -- the
docs mention it) in order to migrate them into smbpasswd when they
logged into our lab next. After a few months we were confident everyone
made it in, and we pulled the trigger on using that passdb instead of
the unencrypted use of /etc/passwd.

Is this clearer now?

Deas, Jim wrote:
> I need to let my users change their password using PAM to preserve the
> existing ldap authentication system. How can I force pam to sync the
smb
> password to the unix one.
> 
> I am running Fedora 7 package on an x86-64 system. I have smb working
> via ldap and sambasam.schema (v3.0.24) I have unix password sync = yes
> but it should not come into play as I never plan to reset passwords
via
> smbd.
> 
>  
> 
>  In '/etc/pam.d/system-auth' I was trying to use pam_smbpass.so
> 
> The original pam script for password had
> 
>  
> 
> password          sufficient           pam_ldap.so use_authtok
> 
>  
> 
> I changed it to:
> 
>  
> 
> password          requisite            pam_ldap.so use_authtok
> 
> password         required            pam_smbpass.so use_authtok
> try_first_pass
> 
>  
> 
>  
> 
> The problem is I get a token manipulation error. Am I using it wrong?
> 
>  
> 
> What would be even better is if someone knows how to do this directly
in
> Fedora DS so all avenues of changing the password would change both.
> Apparently smbpasswd depends on smbd running so that is not an option.
I
> don't know if pdbedit could do it or be launched as a script directly
> from the directory server.

- --
 ---- _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHhmOqmb+gadEcsb4RArjdAKCmAEQwCbLSA05PZdIOaTu7wFYoxwCgszTk
XCSfXIx6FZP52HVIhcCTZic=
=0Taj
-----END PGP SIGNATURE-----


More information about the samba mailing list