Greetings! We are testing the implementation of Samba as a PDC as outlined in Linux Magazine's "Using Samba as a PDC" by Andrew Bartlett (Feb 2002, pg 16). This sounds great since we're actively trying to get rid of a certain NT which acts as our PDC, and work towards unifying our account namespace and storage environment. Fortunately, Samba is assisting with this quite nicely. However, in the article, the set up refers to an expect-like configuration for passwords in the [global] section: [global] unix password sync = true password program = /usr/bin/passwd %u passwd chat = \ *password* %n\n \ *password* %n\n \ *successful* However, our UNIX users must use "yppasswd" to change their passwords on each local system (really, updating the yp password map). Our Samba server is not the same system as our NIS server, so passwords must also be changed with yppasswd on that system. The yppasswd routine requires *two* entries: the old (or current) password, and the new password. My question: is there a set up for this? It looks like the password chat deals with only one variable, i.e., the old password. I have been told that there exists the possibility that using plain "passwd" on a yp client will change the yppasswd regardless, but I have had time to confirm that. Have NIS issues like this one been addressed? Thanks!! ....k -- *-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-* Kevin Freels, Systems Administrator 415/553.8000 (v) Wild Brain, Inc. 415/850.3273 (c) 2650 18th Street, San Francisco, CA 94110 415/553.8009 (f) *-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-* "Just repeat to yourself, 'It's just a show, I should really just relax!'"
When using encrypted passwords with samba, which you need wheen it is the PDC, the password chat can not contain the old password, because it is not knowen in clear text. So you have to possibilities to keep your NIS and samba passwords in sync: - get or hack an yppasswd that does not need the old password when running as root on the ypclient. (I havn't found one and I don't know if it is even possible without NIS server changes) - Let your PDC be your NIS server. The PDC has not to offer any shares exept the netlogon share: Profiles, data, ... can be on other servers. In this case you have to sync passwd and NIS, may be with cron or may be including an "cd /var/yp; make" in the password program string in smb.conf. There may be othe possibities I'm not aware of. Christian> Greetings! > > We are testing the implementation of Samba as a PDC as outlined > in Linux Magazine's "Using Samba as a PDC" by Andrew Bartlett > (Feb 2002, pg 16). This sounds great since we're actively trying > to get rid of a certain NT which acts as our PDC, and work > towards unifying our account namespace and storage environment. > Fortunately, Samba is assisting with this quite nicely. > > However, in the article, the set up refers to an expect-like > configuration for passwords in the [global] section: > > [global] > unix password sync = true > password program = /usr/bin/passwd %u > passwd chat = \ > *password* %n\n \ > *password* %n\n \ > *successful* > > However, our UNIX users must use "yppasswd" to change their > passwords on each local system (really, updating the yp password > map). Our Samba server is not the same system as our NIS server, > so passwords must also be changed with yppasswd on that system. > The yppasswd routine requires *two* entries: the old (or current) > password, and the new password. > > My question: is there a set up for this? It looks like the > password chat deals with only one variable, i.e., the old > password. I have been told that there exists the possibility that > using plain "passwd" on a yp client will change the yppasswd > regardless, but I have had time to confirm that. Have NIS issues > like this one been addressed? > > Thanks!! > > ....k > -- > *-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-* > Kevin Freels, Systems Administrator 415/553.8000 (v) > Wild Brain, Inc. 415/850.3273 (c) > 2650 18th Street, San Francisco, CA 94110 415/553.8009 (f) > *-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-* > "Just repeat to yourself, 'It's just a show, > I should really just relax!'" > > -- > To unsubscribe from this list go to the following URL and read the > instructions: lists.samba.org/mailman/listinfo/samba >_(_)_ wWWWw _ @@@@ (_)@(_) vVVVv _ @@@@ (___) _(_)_ @@()@@ wWWWw (_)\ (___) _(_)_ @@()@@ Y (_)@(_) @@@@ (___) `|/ Y (_)@(_) @@@@ \|/ (_)\ / Y \| \|/ /(_) \| |/ | \ | \ |/ | / \ | / \|/ |/ \| \|/ jgs|// \\|/// \\\|//\\\|/// \|/// \\\|// \\|// \\\|// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
"Kevin G. J. Freels" wrote:> > Greetings! > > We are testing the implementation of Samba as a PDC as outlined > in Linux Magazine's "Using Samba as a PDC" by Andrew Bartlett > (Feb 2002, pg 16). This sounds great since we're actively trying > to get rid of a certain NT which acts as our PDC, and work > towards unifying our account namespace and storage environment. > Fortunately, Samba is assisting with this quite nicely. > > However, in the article, the set up refers to an expect-like > configuration for passwords in the [global] section: > > [global] > unix password sync = true > password program = /usr/bin/passwd %u > passwd chat = \ > *password* %n\n \ > *password* %n\n \ > *successful* > > However, our UNIX users must use "yppasswd" to change their > passwords on each local system (really, updating the yp password > map). Our Samba server is not the same system as our NIS server, > so passwords must also be changed with yppasswd on that system. > The yppasswd routine requires *two* entries: the old (or current) > password, and the new password. > > My question: is there a set up for this? It looks like the > password chat deals with only one variable, i.e., the old > password.I assume you mean new password. The example doesn't show the use of '%o' for old password for the reasons I outline below:> I have been told that there exists the possibility that > using plain "passwd" on a yp client will change the yppasswd > regardless, but I have had time to confirm that. Have NIS issues > like this one been addressed?The problem here is that Samba often only gets the 'new password' - it never gets the old one. As such it can only do password sync where either: - The local system allows root to change a password without the old password or - The old password was supplied. Most clients (including smbpasswd) don't supply the old password. As such, your options are to write some 'magic' wrapper that somehow tells your NIS server that this is a root-based password change (ssh root@nisserver passwd %u might work) or run Samba's PDC components on the NIS server. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net samba.org build.samba.org hawkerc.net