samba / UNIX password sync

A.Fadyushin at it-centre.ru A.Fadyushin at it-centre.ru
Wed Aug 30 17:08:30 UTC 2006 

The best way to resolve your problem is to use the some external
authentication database (such as Windows domain controller) for both the
SAMBA logins and usual logins (instead of /etc/passwd) as recommended in
previous replies.

However, if you prefer use both /etc/passwd and smbpasswd on your
computer without use of domain controller/nss and need to keep them in
sync, I think that you should add a call to pam_pwdb in 'password'
section of samba PAM configuration file, so both pam_pwdb and
pam_smbpass will be called when the password is changed. So, your SAMBA
PAM configuration will end with something similar to (the option
'use_authtok' is used to get a password from previous PAM module, i.e.
pam_pwdb):

password   requisite    /lib/security/pam_pwdb.so shadow md5
password   required     /lib/security/pam_smbpass.so use_authtok nodelay
smbconf=/etc/samba/smb.conf

Alexey Fadyushin
Brainbench MVP for Linux
http://www.brainbench.com


> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Matthijs.Sneijders at corusgroup.com
> Sent: Wednesday, August 30, 2006 1:45 PM
> To: General Red Hat Linux discussion list
> Subject: Re: samba / UNIX password sync
> 
> you might want to consider a slightly different approach to your
setup,
> 
> -use pam_smb to authenticate users on your linux system using the
windows
> user database
> -use nss  (/etc/nsswitch.conf)  to get userinformation from files/nis)
You
> still need the windows usernames available in passwd/nis
>       for information like homefolder/shell/uid/gid
> 
> in smb.conf use server or domain security.  (domain is better but
samba
> must join the domain first)
> this enables samba to authenticate incoming connections using the
windows
> user database
> 
> This way, all authentication is done using windows accounts,  no
password
> sync is needed anymore!
> 
> 
> 
>  Matthijs Sneijders
> 
> 
> 
> 
>      CORUS
>      Research,
>      Development
>      &
>      Technology
> 
>      Building
>      3G16 room
>      3-312
> 
>      P.O. Box
>      10.000
> 
>      1970 CA
>      IJMUIDEN
> 
>      phone       +31 (0)251-496400
> 
>      fax         +31 (0)251-470064
> 
>      mail        matthijs.sneijders at corusgroup.com
> 
> 
> 
> 
> 
> 
> |---------+------------------------------>
> |         |           "Vladimir Kosovac" |
> |         |           <vkosovac at gmail.com|
> |         |           >                  |
> |         |           Sent by:           |
> |         |           redhat-list-bounces|
> |         |           @redhat.com        |
> |         |                              |
> |         |                              |
> |         |           30-08-2006 01:14   |
> |         |           Please respond to  |
> |         |           General Red Hat    |
> |         |           Linux discussion   |
> |         |           list               |
> |         |                              |
> |---------+------------------------------>
>
>-----------------------------------------------------------------------
> --------------------------------------------|
>   |
> |
>   |       To:       redhat-list at redhat.com
> |
>   |       cc:
> |
>   |       Subject:  samba / UNIX password sync
> |
>
>-----------------------------------------------------------------------
> --------------------------------------------|
> 
> 
> 
> 
> Hi all.
> 
> I am running very old version of samba (2.2.7) and cannot upgrade just
> yet,
> must make this work as it is (if possible).
> 
> After playing a bit with pam modules, I got first part of what I want
to
> do
> going - windows user is able to change domain password from windows.
> However, this change never gets synced to Linux password, although (I
> think)
> configuration is OK. Can someone give me some pointers to what else I
need
> to look at? Current relevant config is:
> 
> Server: Red Hat 7.1 / samba-2.2.7-2.7.2 (compiled from RH source with
some
> extra options, --with pam-smb_passwd included)
> Client: Windows 2000 / some XP
> 
> #/etc/pam.d/samba
> #%PAM-1.0
> # The PAM configuration file for the `samba' service
> #
> auth       required     /lib/security/pam_smbpass.so nodelay
> account    required     /lib/security/pam_pwdb.so audit nodelay
> session    required     /lib/security/pam_pwdb.so nodelay
> password   required     /lib/security/pam_smbpass.so nodelay
> smbconf=/etc/samba/smb.conf
> 
> #/etc/samba/smb.conf
> security = user
> encrypt passwords = yes
> smb passwd file = /etc/samba/smbpasswd
> unix password sync = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
> pam password change = yes
> obey pam restrictions = yes
> 
> What am I missing? Help appreciated,
> 
> Vladimir
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
> 
> 
> 
> **********************************************************************
> This transmission is confidential and must not be used or disclosed by
> anyone other than the intended recipient. Neither Corus Group Plc nor
> any of its subsidiaries can accept any responsibility for any use or
> misuse of the transmission by anyone.
> **********************************************************************
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list