samba - Jan 2008 - Sync passwords unix/smb with FDS backend?

Using simple authentication I have been able to tie FDS to Samba 3.x.24.
Knowing that the unix passwd and smb passwd are different, dare I ask
how difficult it would be to have them sync? Most of my users are using
netatalk w/ posix user info and MD5 password. I would like to swing this
over to samba without the worries of two passwords per user. I have seen
blips on this but not directly related to FDS

Hi Jim,
> Using simple authentication I have been able to tie FDS to Samba 3.x.24.
> Knowing that the unix passwd and smb passwd are different, dare I ask
> how difficult it would be to have them sync? Most of my users are using
> netatalk w/ posix user info and MD5 password. I would like to swing this
> over to samba without the worries of two passwords per user. I have seen
> blips on this but not directly related to FDS
>   
if you store both your samba and your unix password in the ldap, you can 
get them in sync by updating both of them when one change its password. 
You'll need to update the smb.conf file to take that into account for 
the windows part, and update your other password changing apps accordingly.

If what you want is in fact getting a NTLM hash from the existing md5 
hash, I'm afraid it won't be possible. Users will have to change their 
password once to update both ntlm and md5 password hash.

Cheers,

Denis
>  
>
>  
>
>   

-- 
Denis Cardon
Tranquil IT Systems
44 bvd des pas enchant?s
44230 Saint S?bastien sur Loire
tel : +33 (0) 2.40.97.62.67
http://www.tranquil-it-systems.fr

Sorry about the acro, I am working with Fedora Directory Server (ldap).
Currently user passwords stored in FDS can be changed from netatalk
(apple protocol), FDS web interface, or unix/passwd via the PAM
interface. To hit all three of these areas I would think that the
password sync would need to somehow be down in FDS.
Looking forward I would like to find an ldap solution. Anything else
will cause additional steps when I add new users to the network.
I will read through pbedit but unless I can trigger it through ldap I
don't know what good it will do.

JD



-----Original Message-----
From: Scott Lovenberg [mailto:scott.lovenberg@gmail.com] 
Sent: Wednesday, January 09, 2008 12:43 PM
To: Ryan Novosielski
Cc: Denis Cardon; samba@lists.samba.org; Deas, Jim
Subject: Re: Sync passwords unix/smb with FDS backend?

Ryan Novosielski wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Denis Cardon wrote:
>> Hi Jim,
>>> Using simple authentication I have been able to tie FDS to Samba
3.x.24.
>>> Knowing that the unix passwd and smb passwd are different, dare I
ask
>>> how difficult it would be to have them sync? Most of my users are
using
>>> netatalk w/ posix user info and MD5 password. I would like to swing
this
>>> over to samba without the worries of two passwords per user. I have
seen
>>> blips on this but not directly related to FDS
>>>   
>> if you store both your samba and your unix password in the ldap, you
can
>> get them in sync by updating both of them when one change its
password.
>> You'll need to update the smb.conf file to take that into account
for
>> the windows part, and update your other password changing apps
accordingly.
>>
>> If what you want is in fact getting a NTLM hash from the existing md5
>> hash, I'm afraid it won't be possible. Users will have to
change
their
>> password once to update both ntlm and md5 password hash.
> 
> Not entirely true, or at least it wasn't last time I tried this. For
me,
> I used a method that included a PAM module that, on successful auth
> (actually, for HP-UX, any auth, which was unfortunate, since they have
> no 'requisite' directive in PAM), populated the smbpasswd file.
> 
> I don't know what FDS is, but it seems to me you could go this route
and
> then convert the smbpasswd file to whatever you wanted via pdbedit.
> 
> =R
> 
> - --
>  ---- _  _ _  _ ___  _  _  _
>  |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
>  |$&| |__| |  | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922
(2-0922)
>  \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg -
C630
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFHhStZmb+gadEcsb4RAoxpAJ4ueyjIEKhv+mBdSN+qjVuN4niWfQCgi1NS
> 4K1ZQsfiaFFzoXdqAcFV0xg> =l57P
> -----END PGP SIGNATURE-----
> 
Scratch my last message about FDS; I was thinking of Apache Directory 
Server.  FDS is pretty mature.  Sorry about that.

Ryan,
 That is close. We have several hundred unix accounts used by our Mac
clients via pam/ldap authentication.
Here is the scenario. Consider 300 Macs tired of native file services
and willing to use smb. I can't move them all in one year much less one
weekend. Their account/password must be valid for both realms. Currently
no password or user data exist for the smb side. In small systems I
could run smbpasswd -a <macuser> for all users but that does not address
future password issues. It is also an additional step when adding users
to the system.
What would be slick is an ldap launched app that changed the smbpassword
whenever the unix one was changed. Same thing with a new unix user.


-----Original Message-----
From: Ryan Novosielski [mailto:novosirj@umdnj.edu] 
Sent: Wednesday, January 09, 2008 12:58 PM
To: Deas, Jim
Cc: Scott Lovenberg; Denis Cardon; samba@lists.samba.org
Subject: Re: Sync passwords unix/smb with FDS backend?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The PAM module I mentioned is not for sync, really, but for initial
migration from /etc/passwd to an NT-hashed password store (in smbpasswd
format).

If you're trying to sync passwords (a person has accounts in both places
with working passwords on both sides already and just wants them both to
change at the same time), then there are other ways to handle this
natively.

Deas, Jim wrote:
> Sorry about the acro, I am working with Fedora Directory Server
(ldap).
> Currently user passwords stored in FDS can be changed from netatalk
> (apple protocol), FDS web interface, or unix/passwd via the PAM
> interface. To hit all three of these areas I would think that the
> password sync would need to somehow be down in FDS.
> Looking forward I would like to find an ldap solution. Anything else
> will cause additional steps when I add new users to the network.
> I will read through pbedit but unless I can trigger it through ldap I
> don't know what good it will do.
> 
> JD
> 
> 
> 
> -----Original Message-----
> From: Scott Lovenberg [mailto:scott.lovenberg@gmail.com] 
> Sent: Wednesday, January 09, 2008 12:43 PM
> To: Ryan Novosielski
> Cc: Denis Cardon; samba@lists.samba.org; Deas, Jim
> Subject: Re: Sync passwords unix/smb with FDS backend?
> 
> Ryan Novosielski wrote:
> Denis Cardon wrote:
>>>> Hi Jim,
>>>>> Using simple authentication I have been able to tie FDS to
Samba
>> 3.x.24.
>>>>> Knowing that the unix passwd and smb passwd are different,
dare I
>> ask
>>>>> how difficult it would be to have them sync? Most of my
users are
>> using
>>>>> netatalk w/ posix user info and MD5 password. I would like
to
swing
>> this
>>>>> over to samba without the worries of two passwords per
user. I
have
>> seen
>>>>> blips on this but not directly related to FDS
>>>>>   
>>>> if you store both your samba and your unix password in the
ldap,
you
>> can
>>>> get them in sync by updating both of them when one change its
>> password.
>>>> You'll need to update the smb.conf file to take that into
account
for
>>>> the windows part, and update your other password changing apps
>> accordingly.
>>>> If what you want is in fact getting a NTLM hash from the
existing
md5
>>>> hash, I'm afraid it won't be possible. Users will have
to change
>> their
>>>> password once to update both ntlm and md5 password hash.
> Not entirely true, or at least it wasn't last time I tried this. For
>> me,
> I used a method that included a PAM module that, on successful auth
> (actually, for HP-UX, any auth, which was unfortunate, since they have
> no 'requisite' directive in PAM), populated the smbpasswd file.
> 
> I don't know what FDS is, but it seems to me you could go this route
>> and
> then convert the smbpasswd file to whatever you wanted via pdbedit.
> 
> =R
> 
>>
> Scratch my last message about FDS; I was thinking of Apache Directory 
> Server.  FDS is pretty mature.  Sorry about that.

- --
 ---- _  _ _  _ ___  _  _  _
 |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
 |$&| |__| |  | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922 (2-0922)
 \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHhTVgmb+gadEcsb4RAqMjAJ0WTEmNaf0Ch45Sxdds/zRYoYDZowCfaX/A
9Np+27j7yavYzSD2FeJWA00=FOhp
-----END PGP SIGNATURE-----