Deas, Jim
2008-Jan-10 18:10 UTC
[Samba] looking for a pam_smbpass user to answer passwd sync issues
I need to let my users change their password using PAM to preserve the existing ldap authentication system. How can I force pam to sync the smb password to the unix one. I am running Fedora 7 package on an x86-64 system. I have smb working via ldap and sambasam.schema (v3.0.24) I have unix password sync = yes but it should not come into play as I never plan to reset passwords via smbd. In '/etc/pam.d/system-auth' I was trying to use pam_smbpass.so The original pam script for password had password sufficient pam_ldap.so use_authtok I changed it to: password requisite pam_ldap.so use_authtok password required pam_smbpass.so use_authtok try_first_pass The problem is I get a token manipulation error. Am I using it wrong? What would be even better is if someone knows how to do this directly in Fedora DS so all avenues of changing the password would change both. Apparently smbpasswd depends on smbd running so that is not an option. I don't know if pdbedit could do it or be launched as a script directly from the directory server.
Ryan Novosielski
2008-Jan-10 18:28 UTC
[Samba] looking for a pam_smbpass user to answer passwd sync issues
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim, The only advantage that pam_smbpass gives you over the built-in LDAP methods is that it allows the passwords to be migrated WITHOUT a password change (successful auth is enough to trigger the migration in a properly configured PAM setup). If you are planning to force every user to change their password in order to be migrated, there is no need to use pam_smbpass are there are better LDAP built-in tools to accomplish the same thing (that will not require you to jump through the additional hurdle of importing the newly-created smbpasswd file to LDAP). In my case, it was unacceptable to make 10,000 students change their passwords to get them into the smbpasswd file. What we did (note, we were actually using smbpasswd at that time, so it was the obvious choice) is to use the migrate argument (or whatever it is called -- the docs mention it) in order to migrate them into smbpasswd when they logged into our lab next. After a few months we were confident everyone made it in, and we pulled the trigger on using that passdb instead of the unencrypted use of /etc/passwd. Is this clearer now? Deas, Jim wrote:> I need to let my users change their password using PAM to preserve the > existing ldap authentication system. How can I force pam to sync the smb > password to the unix one. > > I am running Fedora 7 package on an x86-64 system. I have smb working > via ldap and sambasam.schema (v3.0.24) I have unix password sync = yes > but it should not come into play as I never plan to reset passwords via > smbd. > > > > In '/etc/pam.d/system-auth' I was trying to use pam_smbpass.so > > The original pam script for password had > > > > password sufficient pam_ldap.so use_authtok > > > > I changed it to: > > > > password requisite pam_ldap.so use_authtok > > password required pam_smbpass.so use_authtok > try_first_pass > > > > > > The problem is I get a token manipulation error. Am I using it wrong? > > > > What would be even better is if someone knows how to do this directly in > Fedora DS so all avenues of changing the password would change both. > Apparently smbpasswd depends on smbd running so that is not an option. I > don't know if pdbedit could do it or be launched as a script directly > from the directory server.- -- ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$&| |__| | | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHhmOqmb+gadEcsb4RArjdAKCmAEQwCbLSA05PZdIOaTu7wFYoxwCgszTk XCSfXIx6FZP52HVIhcCTZic=0Taj -----END PGP SIGNATURE-----
Deas, Jim
2008-Jan-10 20:20 UTC
[Samba] looking for a pam_smbpass user to answer passwd sync issues
Ryan, Wish I could say yes but no, not clear. My existing users are all Mac OSX clients using the netatalk package. Netatalk uses the PAM system to authenticate. I have the ldap modules in pam.d setup to use the LDAP posix structure for netatalk authentication. The issue is how to create and sync a smbpassword to the the exisiting LDAP/POSIX structure. I am half way there by adding the new sambaSam.schema to the LDAP system. I can now create a user with the standard smbpasswd program and authenticate them into a smb share. I don't mind telling the users that they need to change their password to gain access to the new smb services so a migration script is not needed. From what I understand there is no way to take the MD5 unix password and convert it to smb anyhow. Best Option, find a way to make Fedora DS run a script that updates the users smb data including syncing the password when changes to the posix structure happen. Second Option, find a way to make pam.d execute both the passwd and smbpasswd processes for password changes. This is second choice as some of the Fedora DS tools would not be usefull. I do not need to sync the other way around (smb->(md5)posix). I will not authenticate WinX workstations with this system. Only smb disk share authentication via smbd. So in a sense, the PDC is only used by the several samba instances to authenticate disk shares. JD -----Original Message----- From: Ryan Novosielski [mailto:novosirj@umdnj.edu] Sent: Thursday, January 10, 2008 10:28 AM To: Deas, Jim Cc: samba@lists.samba.org Subject: Re: [Samba] looking for a pam_smbpass user to answer passwd sync issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim, The only advantage that pam_smbpass gives you over the built-in LDAP methods is that it allows the passwords to be migrated WITHOUT a password change (successful auth is enough to trigger the migration in a properly configured PAM setup). If you are planning to force every user to change their password in order to be migrated, there is no need to use pam_smbpass are there are better LDAP built-in tools to accomplish the same thing (that will not require you to jump through the additional hurdle of importing the newly-created smbpasswd file to LDAP). In my case, it was unacceptable to make 10,000 students change their passwords to get them into the smbpasswd file. What we did (note, we were actually using smbpasswd at that time, so it was the obvious choice) is to use the migrate argument (or whatever it is called -- the docs mention it) in order to migrate them into smbpasswd when they logged into our lab next. After a few months we were confident everyone made it in, and we pulled the trigger on using that passdb instead of the unencrypted use of /etc/passwd. Is this clearer now? Deas, Jim wrote:> I need to let my users change their password using PAM to preserve the > existing ldap authentication system. How can I force pam to sync thesmb> password to the unix one. > > I am running Fedora 7 package on an x86-64 system. I have smb working > via ldap and sambasam.schema (v3.0.24) I have unix password sync = yes > but it should not come into play as I never plan to reset passwordsvia> smbd. > > > > In '/etc/pam.d/system-auth' I was trying to use pam_smbpass.so > > The original pam script for password had > > > > password sufficient pam_ldap.so use_authtok > > > > I changed it to: > > > > password requisite pam_ldap.so use_authtok > > password required pam_smbpass.so use_authtok > try_first_pass > > > > > > The problem is I get a token manipulation error. Am I using it wrong? > > > > What would be even better is if someone knows how to do this directlyin> Fedora DS so all avenues of changing the password would change both. > Apparently smbpasswd depends on smbd running so that is not an option.I> don't know if pdbedit could do it or be launched as a script directly > from the directory server.- -- ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$&| |__| | | |__/ | \| _| |novosirj@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHhmOqmb+gadEcsb4RArjdAKCmAEQwCbLSA05PZdIOaTu7wFYoxwCgszTk XCSfXIx6FZP52HVIhcCTZic=0Taj -----END PGP SIGNATURE-----