[Samba] looking for a pam_smbpass user to answer passwd sync issues

Ryan Novosielski novosirj at umdnj.edu
Thu Jan 10 20:26:55 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Deas, Jim wrote:
> Ryan,
>  Wish I could say yes but no, not clear. My existing users are all Mac
> OSX clients using the netatalk package. Netatalk uses the PAM system to
> authenticate. I have the ldap modules in pam.d setup to use the LDAP
> posix structure for netatalk authentication.
> The issue is how to create and sync a smbpassword to the the exisiting
> LDAP/POSIX structure. I am half way there by adding the new
> sambaSam.schema to the LDAP system. I can now create a user with the
> standard smbpasswd program and authenticate them into a smb share.
> 
> I don't mind telling the users that they need to change their password
> to gain access to the new smb services so a migration script is not
> needed. 

If you don't mind telling them that, fine. In that case, pam_smbpass is
not necessary, and you can use LDAP tools to keep passwords in sync.
There are many documents on the web about how to do this.

> From what I understand there is no way to take the MD5 unix
> password and convert it to smb anyhow.

That is true, but not entirely. The way that pam_smbpasswd "converted"
the file is that it would be present in the "auth" part of the PAM
stack. You would authenticate the user however they are authenticating
at present. Basically:

1) User enters PW upon a login to any PAM-enabled auth service.
2) PAM receives password, and accepts the user/auth's them.
3) PAM hands the password that was just entered to pam_smbpasswd.
4) pam_smbpasswd takes that user input (thereby not needing the hash)
and hashes it in SMB and writes it to smbpasswd.

As you can see, there is no password change here, just normal auth. That
is what I was talking about. There is no conversion of MD5 to SMB, just
conversion of user input of their password during their normal duties
into the SMB file.

> Best Option, find a way to make Fedora DS run a script that updates the
> users smb data including syncing the password when changes to the posix
> structure happen.
> 
> Second Option, find a way to make pam.d execute both the passwd and
> smbpasswd processes for password changes. This is second choice as some
> of the Fedora DS tools would not be usefull.
> 
> I do not need to sync the other way around (smb->(md5)posix). I will not
> authenticate WinX workstations with this system. Only smb disk share
> authentication via smbd. So in a sense, the PDC is only used by the
> several samba instances to authenticate disk shares.
> 
> JD
>  
> 
> -----Original Message-----
> From: Ryan Novosielski [mailto:novosirj at umdnj.edu] 
> Sent: Thursday, January 10, 2008 10:28 AM
> To: Deas, Jim
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] looking for a pam_smbpass user to answer passwd
> sync issues
> 
> Jim,
> 
> The only advantage that pam_smbpass gives you over the built-in LDAP
> methods is that it allows the passwords to be migrated WITHOUT a
> password change (successful auth is enough to trigger the migration in a
> properly configured PAM setup).
> 
> If you are planning to force every user to change their password in
> order to be migrated, there is no need to use pam_smbpass are there are
> better LDAP built-in tools to accomplish the same thing (that will not
> require you to jump through the additional hurdle of importing the
> newly-created smbpasswd file to LDAP).
> 
> In my case, it was unacceptable to make 10,000 students change their
> passwords to get them into the smbpasswd file. What we did (note, we
> were actually using smbpasswd at that time, so it was the obvious
> choice) is to use the migrate argument (or whatever it is called -- the
> docs mention it) in order to migrate them into smbpasswd when they
> logged into our lab next. After a few months we were confident everyone
> made it in, and we pulled the trigger on using that passdb instead of
> the unencrypted use of /etc/passwd.
> 
> Is this clearer now?
> 
> Deas, Jim wrote:
>> I need to let my users change their password using PAM to preserve the
>> existing ldap authentication system. How can I force pam to sync the
> smb
>> password to the unix one.
> 
>> I am running Fedora 7 package on an x86-64 system. I have smb working
>> via ldap and sambasam.schema (v3.0.24) I have unix password sync = yes
>> but it should not come into play as I never plan to reset passwords
> via
>> smbd.
> 
> 
> 
>>  In '/etc/pam.d/system-auth' I was trying to use pam_smbpass.so
> 
>> The original pam script for password had
> 
> 
> 
>> password          sufficient           pam_ldap.so use_authtok
> 
> 
> 
>> I changed it to:
> 
> 
> 
>> password          requisite            pam_ldap.so use_authtok
> 
>> password         required            pam_smbpass.so use_authtok
>> try_first_pass
> 
> 
> 
> 
> 
>> The problem is I get a token manipulation error. Am I using it wrong?
> 
> 
> 
>> What would be even better is if someone knows how to do this directly
> in
>> Fedora DS so all avenues of changing the password would change both.
>> Apparently smbpasswd depends on smbd running so that is not an option.
> I
>> don't know if pdbedit could do it or be launched as a script directly
>> from the directory server.
> 

- --
 ---- _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |novosirj at umdnj.edu - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHhn+Omb+gadEcsb4RAsf0AJ0dd82GqfthiuUAsAuuaIfmhURfoACgqGkf
KGNxaZTtURXjYL1V/8vn6NM=
=A/gK
-----END PGP SIGNATURE-----


More information about the samba mailing list