What you haven't explained is what happens when the users try to change
their passwords from Windows? In fact, your explanation suggests you may
have things backwards.
The Unix password sync is just that. It synchronizes the Unix password
with the Windows (samba) password. When the user changes their Windows
password, it updates the Unix password in /etc/password (or shadow). The
Windows password is stored in the samba database.
Your smb.conf looks like you aren't handling Windows logins locally.
What I'd suggest doing is using the SWAT wizard to make your server a
member server in your Windows domain. That should create a new smb.conf
appropriate for that role.
Dimitry wrote:> Hello,
>
> (I'm sorry for my previous message with the wrong
> subject; I'll just do it over again)
>
> I have a Solaris 10 machine (SunOS 5.10
> Generic_118833-18 sun4u sparc)
> installed with Samba Version 3.0.23a.
> Samba has been compiled from source with PAM modules.
> The modules 'pam_smbpass.so' and 'pam_winbind.so'
> reside at: /usr/local/samba/lib/security
> smb.conf is located at /usr/local/samba/lib/
>
> We are talking about /etc/pam.conf, not /etc/pam.d/
> configuration with separate files.
> The modules for pam.conf are in /usr/lib/security/$ISA
> (default).
>
> This is what I want:
> Users have a unix shell and use a tool that exports
> the output to an CSV file on the samba share.
> I'm forced to use password expiration. I would like
> the users to change their password only once.
> Either by syncing the /etc/password or /etc/shadow
> file with the smbpassword file, or by just validating
> the samba login against the /etc/password or
> /etc/shadow file. I don't really care, as long as it
> works.
>
> I've been searching documentation, mail list archives,
> How-to's and man pages, I've tried with trial and
> error. I raised the debug levels for smbd and nmbd and
> checked the log files for hints, including the system
> log files.
>
> I just cannot get it to work. The smbpasswd file
> remains unchanged after a password change. Am I just
> not understanding the concept here, or is there a
> simple thing I've forgotten or overlooking??
>
> Question:
> What is the service name for samba to be used in
> pam.conf?? I assumed (and read here and there) it is
> 'samba'. But is it really??
> PAM describes the service name should stated in the
> man page of the service. This is not the case with
> smnd or nmbd (at least, I can't find it).
>
> Below are some summaries from both pam.conf and
> smb.conf. Just the things I think that are related.
> But if someone need the whole thing, please let me
> know.
>
> Is there anyone who can help me?? I really need to
> get it working one way or another.
>
> Many thanks for your effort. It's much appreciated!
>
> Dimitry
> ---------------------------------------
>
> /etc/pam.conf
> samba auth required pam_unix_cred.so.1
> samba auth required pam_unix_auth.so.1
> samba account required
> pam_unix_account.so.1
> samba password required pam_dhkeys.so.1
> samba password requisite pam_authtok_get.so.1
> shadow md5
> use_authtok try_first_pass
> samba password requisite
> pam_authtok_check.so.1
> samba password required
> pam_authtok_store.so.1
> samba password requisite
> /usr/local/samba/lib/security/pam_smbpass.so nullok
> use_authtok
> try_first_pass debug
> smbconf=/usr/local/samba/lib/smb.conf
> samba session required
> pam_unix_session.so.1
>
>
> smb.conf
> security = user
> log file = /usr/local/samba/var/log.%m
> max log size = 500
> ; local master = no
> ; os level = 33
> ; domain master = yes
> ; preferred master = yes
> ; domain logons = yes
> ; wins support = yes
> ; wins server = w.x.y.z
> ; wins proxy = yes
> dns proxy = no
> ; add user script = /usr/sbin/useradd %u
> ; add group script = /usr/sbin/groupadd %g
> ; add machine script = /usr/sbin/adduser -n -g
> machines -c Machine -d
> /dev/null -s /bin/false %u
> ; delete user script = /usr/sbin/userdel %u
> ; delete user from group script = /usr/sbin/deluser
> %u %g
> ; delete group script = /usr/sbin/groupdel %g
> ; passdb backend = tdbsam
>
> pam password change = Yes
> obey pam restrictions = Yes
> passwd program = /usr/bin/passwd .%u.
> passwd chat = *New*Password* %n\n \
> *Re-enter*new*password* %n\n
> *Password*changed*
> passwd chat debug = yes
> unix password sync = Yes
> encrypt passwords = yes
>
> [search]
> comment = CDR Searches
> path = /data/searches
> public = no
> writable = no
> printable = no
> ---------------------------------------
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>