CentOS - Jul 2009 - How best to allow users to change Samba passwords?

I was wondering if anyone could advise me on this.

I've got two Samba servers, each using passdb.tdb for authentication. 
All works well, but I've now been asked to let users change their own 
passwords (a requirement of data secuity). What's the best way of 
arranging this, preferably updating both servers at the same time?

thanks

> -----Original Message-----
> From: Kevin Thorpe
> Sent: Wednesday, July 01, 2009 5:43
> 
> I was wondering if anyone could advise me on this.
We allow users th change their passwords via ctrl-alt-del, and via the web using
the password change tool that comes with exchange.
> 
> I've got two Samba servers, each using passdb.tdb for authentication. 
> All works well, but I've now been asked to let users change 
> their own passwords (a requirement of data secuity). What's 
> the best way of arranging this, preferably updating both 
> servers at the same time?
> 
> thanks
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
On CentOS release 4.7:

/etc/samba/smb.conf (redacted)

[global]

#log level = 10

encrypt passwords = yes

        workgroup = xxxxxxxxxxxxxxxxxxxxxxxx
        server string = Logon Server
        pam password change = Yes
        unix password sync = Yes
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add user script = /usr/sbin/useradd -m '%u'
        delete user script = /usr/sbin/userdel -r '%u'
        add group script = /usr/sbin/groupadd '%g'
        delete group script = /usr/sbin/groupdel '%g'
        add user to group script = /usr/sbin/usermod -G '%g'
'%u'
        add machine script = /usr/sbin/useradd -s /sbin/nologin -d /tmp
'%u'
        domain logons = Yes
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap ssl = no
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        map acl inherit = Yes
        cups options = raw
        csc policy = disable

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /home/netlogon
        guest ok = Yes
        share modes = No

[print$]
        comment = All Printers
        path = /var/lib/samba/drivers
        guest ok = Yes
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No



--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

On 01/07/2009 14:29, Jason Pyeron wrote:
>> -----Original Message-----
>> From: Kevin Thorpe
>> Sent: Wednesday, July 01, 2009 5:43
>>
>> I was wondering if anyone could advise me on this.
>>      
>
> We allow users th change their passwords via ctrl-alt-del, and via the web
using
> the password change tool that comes with exchange.
>    
We're missing some bits on this. We don't run Windows servers at all so 
the Exchange route is out. Also most of our
workstations are only windows Home, not Professional so we can't use a 
domain or the ctrl-alt-del approach. I think
I'm going to have to use openLDAP to do this, but it seems overly hard 
to set up. It will however work for Samba,
Scalix and our website (Drupal) so I think it's the way to
go.
>    
>> I've got two Samba servers, each using passdb.tdb for
authentication.
>> All works well, but I've now been asked to let users change
>> their own passwords (a requirement of data secuity). What's
>> the best way of arranging this, preferably updating both
>> servers at the same time?
>>
>> thanks
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>>      
>
>    
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20090701/fa0e198c/attachment-0003.html>

On Jul 1, 2009, at 5:42 AM, Kevin Thorpe <kevin at pibenchmark.com> wrote:
> What's the best way of
> arranging this, preferably updating both servers at the same time?
What you should do is pick one server to manage the passwords and have  
the other setup to authenticate users against the first. Use samba's  
'password server=' option. Then password changes happen only on the  
password server.

I would start thinking samba domain controller at this point.

-Ross

2009/7/1 Kevin Thorpe <kevin at pibenchmark.com>:
> On 01/07/2009 14:29, Jason Pyeron wrote:
>
> We're missing some bits on this. We don't run Windows servers at
all so the
> Exchange route is out. Also most of our
> workstations are only windows Home, not Professional so we can't use a
> domain or the ctrl-alt-del approach. I think
> I'm going to have to use openLDAP to do this, but it seems overly hard
to
> set up. It will however work for Samba,
> Scalix and our website (Drupal) so I think it's the way to go.
I have successfully used http://www.pgina.org to authenticate Windows
Home users against a Samba domain. Pgina has plugins for different
authentication providers, so openLDAP should work.

Of course you should ensure user and password synchronization between
the 2 servers as a first step. OpenLDAP will work. I have used
http://sourceforge.net/projects/smbldap-tools/ to store samba account
database in openldap.

The real challenge for me 7 years ago, was password expiration. I
believe this requirement will sooner or later come to you. Users tend
to use the same password for years. Therefore a mechanism of password
expiration must be enforced to make sure those passwords will be
changed, also the mechanism observes that passwords are strong and not
rotated.

When I was using a Windows NT4 domain there was a mechanism which
would observe the password expiration of domain users and would
trigger via RPC a password change request on the user workstation.
Upon login, the user would not be granted login until the password is
changed.

I could not reproduce this behavior using samba 2.2.xxx and have not
tried since then.


With best regards
Alexander

I know this is a late reply, but I've only just got round to things. 
pgina works absolutely fine, thanks for that. It also allows fallback to 
local users for our laptop wielding brethren.
All I need to do now is work out how to use the Centos/redhat/fedora 
directory server.

On 01/07/2009 16:38, Alexander Georgiev wrote:
> 2009/7/1 Kevin Thorpe<kevin at pibenchmark.com>:
>    
>> On 01/07/2009 14:29, Jason Pyeron wrote:
>>
>> We're missing some bits on this. We don't run Windows servers
at all so the
>> Exchange route is out. Also most of our
>> workstations are only windows Home, not Professional so we can't
use a
>> domain or the ctrl-alt-del approach. I think
>> I'm going to have to use openLDAP to do this, but it seems overly
hard to
>> set up. It will however work for Samba,
>> Scalix and our website (Drupal) so I think it's the way to go.
>>      
>
> I have successfully used http://www.pgina.org to authenticate Windows
> Home users against a Samba domain. Pgina has plugins for different
> authentication providers, so openLDAP should work.
>
> Of course you should ensure user and password synchronization between
> the 2 servers as a first step. OpenLDAP will work. I have used
> http://sourceforge.net/projects/smbldap-tools/ to store samba account
> database in openldap.
>
> The real challenge for me 7 years ago, was password expiration. I
> believe this requirement will sooner or later come to you. Users tend
> to use the same password for years. Therefore a mechanism of password
> expiration must be enforced to make sure those passwords will be
> changed, also the mechanism observes that passwords are strong and not
> rotated.
>
> When I was using a Windows NT4 domain there was a mechanism which
> would observe the password expiration of domain users and would
> trigger via RPC a password change request on the user workstation.
> Upon login, the user would not be granted login until the password is
> changed.
>
> I could not reproduce this behavior using samba 2.2.xxx and have not
> tried since then.
>