[Samba] looking for a pam_smbpass user to answer passwd sync
Edmundo Valle Neto
edmundo.valle at terra.com.br
Thu Jan 10 21:58:37 GMT 2008
Deas, Jim escreveu:
> Wish I could say yes but no, not clear. My existing users are all Mac
> OSX clients using the netatalk package.
I never used a Mac or Netatalk, but ...
> Netatalk uses the PAM system to
> authenticate. I have the ldap modules in pam.d setup to use the LDAP
> posix structure for netatalk authentication.
> The issue is how to create and sync a smbpassword to the the exisiting
> LDAP/POSIX structure. I am half way there by adding the new
> sambaSam.schema to the LDAP system. I can now create a user with the
> standard smbpasswd program and authenticate them into a smb share.
> I don't mind telling the users that they need to change their password
> to gain access to the new smb services so a migration script is not
> needed. From what I understand there is no way to take the MD5 unix
> password and convert it to smb anyhow.
Well, you probably will want to change the accounts adding the samba
attributes first. (Sure, if you make that, you will have a nonworking
password). Then make the clients change the passwords and sync.
> Best Option, find a way to make Fedora DS run a script that updates the
> users smb data including syncing the password when changes to the posix
> structure happen.
I think I saw something like that as a patch to LDAP, but I dont
remember even the name. I saw it and I didn't like it.
> Second Option, find a way to make pam.d execute both the passwd and
> smbpasswd processes for password changes. This is second choice as some
> of the Fedora DS tools would not be usefull.
Here we have a contradiction, smbpasswd uses samba to do its job it
doesn't do it directly, if you have that option (ask samba to do it)
You can make pam execute pam_winbind.so after pam_ldap.so and it will
try to find a remote Winbind daemon, and ask it to change the samba
password (and this Winbind will be using the LDAP password database).
Maybe you dont like it, but its the only solution that I know that works
using pam (the client can then use "passwd" and pam will sync both
And NO, pam_smbpass.so that anyone tries to use don't do that, you
really need winbind.
> I do not need to sync the other way around (smb->(md5)posix).
Ok. Lets say that the other way around is the configuration made inside
samba, so samba will sync the unix password inside LDAP by its own. Then
it will be used by the samba tools, pdbedit, net, smbpasswd, etc.
> I will not
> authenticate WinX workstations with this system. Only smb disk share
> authentication via smbd. So in a sense, the PDC is only used by the
> several samba instances to authenticate disk shares.
The last option is to make a custom script by your own. The
smbldap-passwd script from smbldap-tools is made in Perl and makes
almost that, accessing LDAP directly. I don't know if it will be the
best option, as to bind to the base you need a password. So to change
your password you need your password first, annoying.
Web applications are an option too, but I never liked to do that this way.
Edmundo Valle Neto
More information about the samba