samba - Sep 2006 - passwd program example for parsing new password typed?

hello,
I have two domains, one w2k3 and one with samba 3.
The users log on to the samba domain and use outlook connected on
exchange on w2k3 domain.
pwd age for the two domains is aligned.
On another samba 3.0.23c linux machine inside the w2k3 domain (ads
security  parameter set) I have set up a script that allows to change
the w2k3 domain password for the user, using ldapmodify command to
change the "unicodePwd" parameter of AD.
This could allow me to synchronize the passwords of the two domains'
users during the normal windows password change operation.
I have only to set up the "passwd program" of smb.conf accordingly.
By default it is "passwd %u" and I read that it makes use of expect to
get the passwd typed by the user.... (not clear how... where to find
docs?)
I would like instead to substitute it with a script that
1) runs the passwd program locally as by default
2) runs a remote shell to the other samba host to run the script
specified above for AD change.
Any hint on how to give to the script the password typed by the user?
Thaks in advance for your help.

Gianluca

On Wed, 6 Sep 2006, Gianluca Cecchi wrote:
> This could allow me to synchronize the passwords of the two domains'
> users during the normal windows password change operation.
That's a little odd to have two sets of accounts that are kept
identical between two different domains.  But, maybe there is
a reason for it.
> I have only to set up the "passwd program" of smb.conf
accordingly.
> By default it is "passwd %u" and I read that it makes use of
expect to
> get the passwd typed by the user.... (not clear how... where to find
> docs?)
No, it uses an Expect-like (not actual Expect, I think)
script to talk to the passwd program.  The user's password
comes in plaintext from the Windows client machine to Samba,
if I understand correctly.  So the interaction between Samba
and the passwd command doesn't involve getting the password
typed by the user.
> I would like instead to substitute it with a script that
> 1) runs the passwd program locally as by default
> 2) runs a remote shell to the other samba host to run the script
> specified above for AD change.
> Any hint on how to give to the script the password typed by the user?
> Thaks in advance for your help.
Look at the "passwd chat" Samba parameter.  This defines how
Samba communicates with the passwd program.  You can substitute
your own chat script to specify how it interacts with your
own script instead of the passwd command.  For example, your
script might look like this:

 	#! /bin/sh

 	username="$1"

 	echo "send password now"
 	read password

 	# do whatever you want with $username and $password

Then I believe you'd want this in your smb.conf:

 	unix password sync = yes
 	passwd program = /path/to/my/script %u
 	passwd chat = "send password now" %n\n

That should take care of the glue between Samba and your script,
but then you have the small matter of glue between your script
and /usr/bin/passwd.  Previously, Samba could take care of that
for you, but if you wrap the passwd command with your script,
you're going to have to use Expect or something to do it.

   - Logan

On Wed Sep 6 18:58:20 GMT 2006 Logan Shaw wrote:
>That's a little odd to have two sets of accounts that are kept
>identical between two different domains.  But, maybe there is
>a reason for it.
yes. The fact is that I inherited this situation with passwords never
changed (and samba 2 on an old and unmaintained Caldera OpenLinux) and
known by the previous sysadmins.... and I have about 50 users, with
some of them working also on Saturdays and Sundays... with little time
for mainenance operations.
I switched to force password change and its privateness.
So the first step was to have the users do this manually at my seat,
the second now to automatically have them changing it, after migrating
to samba 3.

>No, it uses an Expect-like (not actual Expect, I think)
>script to talk to the passwd program.  The
Ok, thanks.
I setup the script based on your comments and further reading and now
it works great!
Aligning both samba and linux passwd on samba logon server and AD
password on Exchange domain.

The parametr in smb.conf is
passwd program = /usr/local/bin/align_pwd.sh %u
with default "passwd chat" parameter settings.
The draft but working passwd program (align_pwd.sh) on samba PDC is
something like:

#!/bin/bash
USER=$1
echo "New password"
read newpwd1
echo "Retype new password"
read newpwd2
if [ "$newpwd1" != "$newpwd2" ]
then
        echo "Sorry, passwords do not match"
        exit 1
fi
NEWPWD=$newpwd1
export USER NEWPWD
echo $USER > /tmp/ppp
echo $NEWPWD >> /tmp/ppp
#
# align linux shadow passwd
echo "$NEWPWD" | passwd --stdin $USER >> /tmp/ppp 2>&1
#
# align AD passwd
if [ $? -eq 0 ]
then
        FULLNAME=$(pdbedit -Lv $USER | grep "^Full Name" | awk
'{print
$3" "$4}')
        ssh sambaslack "/root/set_adpwd.sh $FULLNAME $NEWPWD"
        echo "passwd: all authentication tokens updated successfully"
else
        echo "an error occured!" >> /tmp/ppp
        exit 1
fi

I still need to watch on monitoring return code on ssh remote shell
script, that takes care of doing the ldapmodify on AD. It is ok if all
goes well. I have to test possible errors that may happen and how to
treat them....
If anyone interested I can share the set_adpwd.sh script.

Bye,
Gianluca