[Samba] looking for a pam_smbpass user to answer passwd sync issues

Edmundo Valle Neto edmundo.valle at terra.com.br
Thu Jan 10 21:58:37 GMT 2008

Deas, Jim escreveu:
> Ryan,
>  Wish I could say yes but no, not clear. My existing users are all Mac
> OSX clients using the netatalk package.

I never used a Mac or Netatalk, but ...

>  Netatalk uses the PAM system to
> authenticate. I have the ldap modules in pam.d setup to use the LDAP
> posix structure for netatalk authentication.
> The issue is how to create and sync a smbpassword to the the exisiting
> LDAP/POSIX structure. I am half way there by adding the new
> sambaSam.schema to the LDAP system. I can now create a user with the
> standard smbpasswd program and authenticate them into a smb share.
> I don't mind telling the users that they need to change their password
> to gain access to the new smb services so a migration script is not
> needed. From what I understand there is no way to take the MD5 unix
> password and convert it to smb anyhow.

Well, you probably will want to change the accounts adding the samba 
attributes first. (Sure, if you make that, you will have a nonworking 
password). Then make the clients change the passwords and sync.

> Best Option, find a way to make Fedora DS run a script that updates the
> users smb data including syncing the password when changes to the posix
> structure happen.

I think I saw something like that as a patch to LDAP, but I dont 
remember even the name. I saw it and I didn't like it.
> Second Option, find a way to make pam.d execute both the passwd and
> smbpasswd processes for password changes. This is second choice as some
> of the Fedora DS tools would not be usefull.

Here we have a contradiction, smbpasswd uses samba to do its job it 
doesn't do it directly, if you have that option (ask samba to do it) 
read below.
You can make pam execute pam_winbind.so after pam_ldap.so and it will 
try to find a remote Winbind daemon, and ask it to change the samba 
password (and this Winbind will be using the LDAP password database). 
Maybe you dont like it, but its the only solution that I know that works 
using pam (the client can then use "passwd" and pam will sync both 
And NO, pam_smbpass.so that anyone tries to use don't do that, you 
really need winbind.

> I do not need to sync the other way around (smb->(md5)posix).

Ok. Lets say that the other way around is the configuration made inside 
samba, so samba will sync the unix password inside LDAP by its own. Then 
it will be used by the samba tools, pdbedit, net, smbpasswd, etc.

>  I will not
> authenticate WinX workstations with this system. Only smb disk share
> authentication via smbd. So in a sense, the PDC is only used by the
> several samba instances to authenticate disk shares.

The last option is to make a custom script by your own. The 
smbldap-passwd script from smbldap-tools is made in Perl and makes 
almost that, accessing LDAP directly. I don't know if it will be the 
best option, as to bind to the base you need a password. So to change 
your password you need your password first, annoying.

Web applications are an option too, but I never liked to do that this way.



Edmundo Valle Neto

More information about the samba mailing list