samba - Apr 2008 - Password sync problem from unix to windows

I have searched the list and have been unable to find a definitive answer to
this problem.

I am using Samba 3.0.2xx as a PDC.  The server that runs this also happens
to be a NIS master (not sure if this complicates matters or not).

When a user's password is changed within a windows client that is part of
this domain (i.e. using ctrl-alt-del), the password change correctly
propagates to the unix side.

However, if a user's password is changed from the unix side (i.e. using
/usr/bin/passwd), this does not propagate correctly to the windows side.
This appears to be some sort of Samba password syncing problem.

Here are some relevant lines from my smb.conf (NOTE: The encrypt passwords
line is commented out and not exactly sure why that's there or if this is my
problem.)

-----
   ;encrypt passwords = no

   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *New*password:* %n\n\
                 *Re-enter*new*password:* %n\n\
                 *passwd:*password*successfully*changed*for* %u
-----

My main question here is whether or not this can be done- can I sync
passwords if the password was changed from the unix side?

One thing I read was that user's must use the smbpasswd command instead of
passwd.  Would this be an acceptable solution?  If so, could I reroute
(symlink) /usr/bin/passwd to smbpasswd so that users would be forced to use
smbpasswd?  I'm not really sure of another way to enforce this..

Thanks in advance for your advice.

Renee

On Wed, 2008-04-09 at 15:52 -0600, SoUnD WrEcK wrote:
> I have searched the list and have been unable to find a definitive answer
to
> this problem.
> 
> I am using Samba 3.0.2xx as a PDC.  The server that runs this also happens
> to be a NIS master (not sure if this complicates matters or not).
> 
> When a user's password is changed within a windows client that is part
of
> this domain (i.e. using ctrl-alt-del), the password change correctly
> propagates to the unix side.
> 
> However, if a user's password is changed from the unix side (i.e. using
> /usr/bin/passwd), this does not propagate correctly to the windows side.
> This appears to be some sort of Samba password syncing problem.
> 
> Here are some relevant lines from my smb.conf (NOTE: The encrypt passwords
> line is commented out and not exactly sure why that's there or if this
is my
> problem.)
> 
> -----
>    ;encrypt passwords = no
> 
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *New*password:* %n\n\
>                  *Re-enter*new*password:* %n\n\
>                  *passwd:*password*successfully*changed*for* %u
> -----
> 
> My main question here is whether or not this can be done- can I sync
> passwords if the password was changed from the unix side?
> 
> One thing I read was that user's must use the smbpasswd command instead
of
> passwd.  Would this be an acceptable solution?  If so, could I reroute
> (symlink) /usr/bin/passwd to smbpasswd so that users would be forced to use
> smbpasswd?  I'm not really sure of another way to enforce this..
You basically have two options:

#1 as said, use smbpasswd instead of passwd
#2 use the pam_smbpass module provided by your vendor

the latter one being probably the best method.

-- 
?Udo Rader

bestsolution.at EDV Systemhaus GmbH
http://www.bestsolution.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20080410/78933475/attachment.bin