[Samba] 2019 , yet a replacement for pam_smbpass.o ?

Axel Werner axel.werner.1973 at gmail.com
Mon Jun 17 09:22:38 UTC 2019 

Dear SAMBA Experts,

2015 Andrew stated on a redhat bugreport that you (samba.org) are going to
drop pam_smbpass.o from the samba sources, which then happened with samba 4
as i can see. however... to me and it seems many others this seems to be a
problem now, since this module was often used to keep the users samba
passwords in sync with the (leading) system passwords on "mixed" systems,
where the users are supposed to have classic linux accounts (for ssh login)
AND also want to use  samba to conveniently access files from their windows
workstations. Now you might ask, why then isnt the samba joined to the
existing windows domain or AD?  several reasons for that. most likely
because the linux system/samba servers must be autonomous using its own
local linux accounts and may not use other authorities. so
security/authority separation.

pam_smbpass.o seem to solved that problem for lots of people back then.
keeps it simple, obeys pam stacks together with many other pam modules and
simply puts the users "new password" into the local samba SAM. problem
solved.

since the tool is gone for several years now, the question that still seems
to be there is, how to replace that module? how to solve the
authority/synchronisation problem within a single server, when you want
users to use "passwd" or any other single command interface to maintain
their passwords for both worlds? is the solution to have a local ldap
answer ? will this keep the passwords synced, while having several PAM
modules to achieve a strong password policy?

i searched around for weeks and still didnt found anything promising that
might offer something similar and simple as pam_smbpass.so for the
"password" pam stack.
So im pretty lost now, hoping you can push me in the right direction or
have an idea how to solve the PW sync problem in 2019 in a way where the
linux accounts are the the leading authority so we can achieve a proper
password policy and complexity samba didnt seem to support.

thanks for any hint in advance!

regards

Axel Werner
email: axel.werner.1973 at gmail.com

More information about the samba mailing list