Hi Everybody, maybe we are just too stupid, but for me it seems that there is some problem with holding passwords completely sync between *NIX-world and WIN-world when I use LDAP & Samba. If a user changes a password under Windows, with "passwd chat" the *NIX-Password (attribute: userPassword) can be changend very well besides the both Samba-LDAP-attributes lmPassword and ntPassword. But if a user from the *NIX-world wants to change his password over a service that uses PAM.D we have the following problem: pam_smbpass.so can authenticate UNIX Users via SMB-LDAP but it can not be used for "passwd" from UNIX-side!!! We read already the sourcecode and pam_smbpass.so always wants to change the smbpasswd-file, which is not be used for regular users in LDAP-mode... ??? Does anybody knows, how I can change the attributes lmpassword and ntpassword from pam.d?!?! Would be great! Thanks!!! Matthias -- Matthias Eichler <mylists@ame.de> AME Aigner Media & Entertainment
On Tue, 2003-01-28 at 05:43, Matthias Eichler wrote:> Hi Everybody, > > maybe we are just too stupid, but for me it seems that > there is some problem with holding passwords completely > sync between *NIX-world and WIN-world when I use LDAP > & Samba. > > If a user changes a password under Windows, with "passwd chat" > the *NIX-Password (attribute: userPassword) can be changend > very well besides the both Samba-LDAP-attributes lmPassword > and ntPassword. > > But if a user from the *NIX-world wants to change his password > over a service that uses PAM.D we have the following problem: > > pam_smbpass.so can authenticate UNIX Users via SMB-LDAP > but it can not be used for "passwd" from UNIX-side!!! > We read already the sourcecode and pam_smbpass.so always > wants to change the smbpasswd-file, which is not be used > for regular users in LDAP-mode...i use pam smbpass for this... here's my /etc/pam.d/passwd file password requisite pam_cracklib.so retry=3 minlen=6 difok=3 debug password [user_unknown=ignore success=ok new_authtok_reqd=ok ignore=ignore defau lt=bad] pam_ldap.so use_first_pass password required pam_unix.so use_first_pass nullok md5 debug password [user_unknown=ignore success=ok new_authtok_reqd=ok ignore=ignore defau lt=bad] pam_smbpass.so use_first_pass audit I don't claim that file to be perfect but it does seem to work just fine for me. Im also using the ldap in the nsswitch.conf brad -- Bradley W. Langhorst <brad@langhorst.com>
> Date: 30 Jan 2003 10:40:50 -0500 > From: "Bradley W. Langhorst" <brad@langhorst.com> > To: Matthias Eichler <me@ame.de> > Cc: samba@lists.samba.org > Subject: Re: [Samba] PAM Module for SMB-LDAP > Message: 18 > On Thu, 2003-01-30 at 05:28, Matthias Eichler wrote: > >>> And with these settings you can really change the lmpassword and >>> ntpassword attributes in LDAP when doing a passwd under UNIX?!? > > yes - i am using samba3a21 but i'm pretty sure this worked with 2.2.6 > when i last tried the 2.2 branchIt really has no relationship to which samba you're running, since this is when changing your password on a unix machine which is not a DC, so you can't (AFAIK) use pam_smbpass, and the machine may have no samba components installed on it anyway. AFIAK, the only way around this is a hacked pam_ldap which changes ntpasswd and lmpasswd, there is one around somewhere ... The other option is to make a passwd script which calls smbpasswd -r <name of pdc>, and rename the old passwd binary. Buchan -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7