I would like to have sync'd Unix and Samba passwords. My Unix passwords are stored in OpenLDAP for uniformity across machines and services. I have some problems with the standard solutions to this problem though: * if I have Samba authenticate from OpenLDAP directly (using the smbPassword attribute), then I get sync'ing problems when the password is changed via normal Unix means. We are primarily a Unix shop; I cannot force my users to change passwords always via Samba. Also, I would really prefer to stay within the PAM universe, not merely because of its elegance, but also because it allows me to do very flexible, additional checks (e.g. pam_cracklib). * keeping Samba passwords in smbpasswd and using pam_smbpasswd to auth and sync would be perfect -- except that my users don't work on my file server, so no PAM stack there would ever be executed (I guess I could put smb_passwd in the PAM stack of netatalk, which runs from that machine, but demanding that users mount thei home directory via Appletalk in order to sync their Samba passwords seems rather bizarre). Even if I were to run Samba on a user machine, the smbpasswd file would only be updated if the user happened to run passwd on THAT machine. What I really want is either: * that pam_smbpasswd be able to update the smbpasswd file on ANOTHER computer. Say on the file server via smb. Is this actually possible and I've just missed it? If so, how do I configure that? Or... * a "pam_smbldap" module that does what pam_smbpasswd does, but uses an LDAP backend in place of the smbpasswd file. I actually looked at the pam_smbpasswd code to see if this would be easy to implement. The code is very straightforward, but unfortunately this is because it hides all of the actual work in calls to Samba libraries. Has someone with more unserstanding of the Samba internals perhaps already undertaken the production of a "pam_smbldap" module?
David Wright wrote:> to run passwd on THAT machine. > > What I really want is either: > > * that pam_smbpasswd be able to update the smbpasswd file on ANOTHER > computer. Say on the file server via smb. Is this actually possible and > I've just missed it? If so, how do I configure that? Or... > > * a "pam_smbldap" module that does what pam_smbpasswd does, but uses an > LDAP backend in place of the smbpasswd file. I actually looked at the > pam_smbpasswd code to see if this would be easy to implement. The code > is very straightforward, but unfortunately this is because it hides all > of the actual work in calls to Samba libraries. Has someone with more > unserstanding of the Samba internals perhaps already undertaken the > production of a "pam_smbldap" module? > >hi ! i am successfully using the patch to the pam_ldap module provided athttp://www.rit.bme.hu/~balsa/pam_ldap_ntlm/ to keep the smbpasswd and the unixpassword (bot stored in the ldap-tree) in sync. you then just have to add a line like "samba_ntlm_sync true" to your /etc/pam_ldap.conf i think the patch is for pam_ldap-137 but it worked (for me) on pam_ldap-140 too. mfg.cfd.sdr IOhannes
David Wright wrote:> > I would like to have sync'd Unix and Samba passwords. My Unix passwords > are stored in OpenLDAP for uniformity across machines and services. I > have some problems with the standard solutions to this problem though: > > * if I have Samba authenticate from OpenLDAP directly (using the > smbPassword attribute), then I get sync'ing problems when the password > is changed via normal Unix means. We are primarily a Unix shop; I cannot > force my users to change passwords always via Samba. Also, I would > really prefer to stay within the PAM universe, not merely because of its > elegance, but also because it allows me to do very flexible, additional > checks (e.g. pam_cracklib).I think what we need to do is write a plugin for the ldap server, so that on the password change extended operation, it updates the Samba attributes as well. Anybody want to take that on? Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
On Monday 22 July 2002 03:14, IOhannes zmoelnig wrote:> Jason Joines wrote: > > This is exactly what I need to do as well. I downloaded the > > stuff from http://www.rit.bme.hu/~balsa/pam_ldap_ntlm/ but thought > > it was the entire pam_ldap instead of a patch. A patch is much > > better as I would like to apply it to my SuSE 8.0 pam_ldap-137 > > source rpm, then build an rpm from that. > > How can I apply the patch? > > hi, i do not know exactly on SuSe, but it is something like: > get the source-distribution of the SuSe-package (on debian, this is > as easy as "apt-get source libpam-ldap") i have no idea on how to do > this on SuSe. > once you have the source-package, you should have everything you need > to build your rpm, including build-scripts,... > so, go to your fresh installed sources > make something similar to > "patch -p1 < patchfile.diff" > if necessary, read "man patch", have a look at your patchfile.diff > (or whatever the patchfile is called) and retry ;-) > build the package, as would the maintainers (again no idea: on debian > it would be "./debian/rules binary", on SuSe it could be anything > from "make rpm" to whatever) > > if all fails, i could send you my .deb package, sou you could convert > it to rpm (with "alien") > > mfg.ca.sdr > IOhannes > > > Thanks, > > > > Jason Joines > > Open Source = Open Minds > > ====================Please do send me your .deb package. I'll give Alien a try. Thanks, Jason =================================