samba - Feb 2002 - PDC and yppasswd

Greetings!

We are testing the implementation of Samba as a PDC as outlined
in Linux Magazine's "Using Samba as a PDC" by Andrew Bartlett
(Feb 2002, pg 16). This sounds great since we're actively trying
to get rid of a certain NT which acts as our PDC, and work
towards unifying our account namespace and storage environment.
Fortunately, Samba is assisting with this quite nicely.

However, in the article, the set up refers to an expect-like
configuration for passwords in the [global] section:

[global]
unix password sync = true
password program = /usr/bin/passwd %u
passwd chat = \
   *password* %n\n \
   *password* %n\n \
   *successful*

However, our UNIX users must use "yppasswd" to change their
passwords on each local system (really, updating the yp password
map). Our Samba server is not the same system as our NIS server,
so passwords must also be changed with yppasswd on that system.
The yppasswd routine requires *two* entries: the old (or current)
password, and the new password.  

My question: is there a set up for this? It looks like the
password chat deals with only one variable, i.e., the old
password. I have been told that there exists the possibility that
using plain "passwd" on a yp client will change the yppasswd
regardless, but I have had time to confirm that. Have NIS issues
like this one been addressed?

Thanks!!

....k
-- 
*-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-*
Kevin Freels, Systems Administrator          415/553.8000 (v)
Wild Brain, Inc.                             415/850.3273 (c)
2650 18th Street, San Francisco, CA 94110    415/553.8009 (f)
*-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-*
        "Just repeat to yourself, 'It's just a show, 
               I should really just relax!'"

When using encrypted passwords with samba, which you need wheen it is 
the PDC, the password chat can not contain the old password, because 
it is not knowen in clear text. So you have to possibilities to keep 
your NIS and samba passwords in sync:
- get or hack an yppasswd that does not need the old password when
  running as root on the ypclient. (I havn't found one and I don't
  know if it is even possible without NIS server changes)
- Let your PDC be your NIS server. The PDC has not to offer any shares
  exept the netlogon share: Profiles, data, ... can be on other
  servers. In this case you have to sync passwd and NIS, may be with
  cron or may be including an "cd /var/yp; make" in the password
  program string in smb.conf.
There may be othe possibities I'm not aware of.

Christian


> Greetings!
> 
> We are testing the implementation of Samba as a PDC as outlined
> in Linux Magazine's "Using Samba as a PDC" by Andrew Bartlett
> (Feb 2002, pg 16). This sounds great since we're actively trying
> to get rid of a certain NT which acts as our PDC, and work
> towards unifying our account namespace and storage environment.
> Fortunately, Samba is assisting with this quite nicely.
> 
> However, in the article, the set up refers to an expect-like
> configuration for passwords in the [global] section:
> 
> [global]
> unix password sync = true
> password program = /usr/bin/passwd %u
> passwd chat = \
>    *password* %n\n \
>    *password* %n\n \
>    *successful*
> 
> However, our UNIX users must use "yppasswd" to change their
> passwords on each local system (really, updating the yp password
> map). Our Samba server is not the same system as our NIS server,
> so passwords must also be changed with yppasswd on that system.
> The yppasswd routine requires *two* entries: the old (or current)
> password, and the new password.  
> 
> My question: is there a set up for this? It looks like the
> password chat deals with only one variable, i.e., the old
> password. I have been told that there exists the possibility that
> using plain "passwd" on a yp client will change the yppasswd
> regardless, but I have had time to confirm that. Have NIS issues
> like this one been addressed?
> 
> Thanks!!
> 
> ....k
> -- 
> *-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-*
> Kevin Freels, Systems Administrator          415/553.8000 (v)
> Wild Brain, Inc.                             415/850.3273 (c)
> 2650 18th Street, San Francisco, CA 94110    415/553.8009 (f)
> *-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-*
>         "Just repeat to yourself, 'It's just a show, 
>                I should really just relax!'"
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 

               _(_)_                          wWWWw   _
   @@@@       (_)@(_)   vVVVv     _     @@@@  (___) _(_)_
  @@()@@ wWWWw  (_)\    (___)   _(_)_  @@()@@   Y  (_)@(_)
   @@@@  (___)     `|/    Y    (_)@(_)  @@@@   \|/   (_)\
    /      Y       \|    \|/    /(_)    \|      |/      |
 \ |     \ |/       | / \ | /  \|/       |/    \|      \|/
jgs|//   \\|///  \\\|//\\\|/// \|///  \\\|//  \\|//  \\\|// 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

"Kevin G. J. Freels" wrote:
> 
> Greetings!
> 
> We are testing the implementation of Samba as a PDC as outlined
> in Linux Magazine's "Using Samba as a PDC" by Andrew Bartlett
> (Feb 2002, pg 16). This sounds great since we're actively trying
> to get rid of a certain NT which acts as our PDC, and work
> towards unifying our account namespace and storage environment.
> Fortunately, Samba is assisting with this quite nicely.
> 
> However, in the article, the set up refers to an expect-like
> configuration for passwords in the [global] section:
> 
> [global]
> unix password sync = true
> password program = /usr/bin/passwd %u
> passwd chat = \
>    *password* %n\n \
>    *password* %n\n \
>    *successful*
> 
> However, our UNIX users must use "yppasswd" to change their
> passwords on each local system (really, updating the yp password
> map). Our Samba server is not the same system as our NIS server,
> so passwords must also be changed with yppasswd on that system.
> The yppasswd routine requires *two* entries: the old (or current)
> password, and the new password.
> 
> My question: is there a set up for this? It looks like the
> password chat deals with only one variable, i.e., the old
> password. 
I assume you mean new password.  The example doesn't show the use of
'%o' for old password for the reasons I outline below:
> I have been told that there exists the possibility that
> using plain "passwd" on a yp client will change the yppasswd
> regardless, but I have had time to confirm that. Have NIS issues
> like this one been addressed?
The problem here is that Samba often only gets the 'new password' - it
never gets the old one.  As such it can only do password sync where
either:

 - The local system allows root to change a password without the old
password

or 

 - The old password was supplied.

Most clients (including smbpasswd) don't supply the old password.

As such, your options are to write some 'magic' wrapper that somehow
tells your NIS server that this is a root-based password change (ssh
root@nisserver passwd %u might work) or run Samba's PDC components on
the NIS server.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net