I've been reading many of password sync problems from both this list and the
NTDOM list and have come up with a solution that seems secure enough although I
had to modify some samba code to make it work.
This potential solution is for sync from Unix to smbpasswd and has nothing to do
with "unix passswd sync".
What I've done is literally rewrite the unix "passwd" command to
include a call
to smbpasswd to update the Samba password table in the event we successfully
change the Unix password.
I'm running AIX 4.3.2 on an RS6K-H50, so there are some special password
calls
to update AIX passwords, but I'm sure could be easily ported to other
shadow-like systems.
In addition to rewriting the passwd command I had to fiddle a little with
smbpasswd command to allow it to be called as suid root, BUT the program is NOT
suid, only passwd is (as it needs to be), any Joe who runs smbpasswd cannot
become root accidentally, in fact we don't even allow anyone to run it, they
have to use "passwd" or do it through NT.
In addition, the system where people change their password has an NFS mount of
the real smbpasswd file from Samba running on another H50, so there is one file
only.
The samba server is an NIS slave as well and the first H50 is the master. This
concept works very well for us and I'd like to share this with anyone who
would
like to have it.
Keep in mind you DON'T need NFS or NIS for this to work, this is just how we
happened to be organized at the time.
Cheers,
Bill
--
/------------------------------------------------------\
| |
| William E. Jojo, Jr. |
| |
| Senior Systems and Network Specialist |
| |
| Hudson Valley Community College |
| |
| (518) 629 7540 |
| |
| jojowil@hvcc.edu |
| |
\------------------------------------------------------/
We are young
Wandering the face of the earth
Wondering what our dreams might be worth
Learning that we're only immortal...
...For a limited time
