samba - Sep 2006 - Sync unix and samba passwords

Hi,

We have an Exchange server (server 2003) that is a domain controller and
a few Samba file servers that are not part of the Windows domain. The
Samba servers use their own LDAP directory ( ldapsam backend with
pam_ldap ) that is synchronized to one openldap directory server but is
not synchronized to the Windows domain AD. The workstations are all
local accounts and not members of any domain either. I am happy with
this arrangement despite having to enter user information twice and
would rather not change it.

Goal: I would like to use Services for Unix on the Windows AD controller
to synchronize linux passwords so that the end user has to change
password once for email/Samba and once for local computer.

Problem: When Linux administrator issues the passwd command as in #
passwd <username> the ldap userPassword attribute is changed correctly
but the Samba NT/LM passwords are not also changed.

What I have already done: Googled the issue and found that unix passwd
sync in smb.conf is not what I need. Ldap passwd sync = yes is in
smb.conf. I have found some info on pam_smbpass.so but do not have
enough information to know if this is what I need and how to use it.

Or can someone tell me if this will not work at all. Better ideas?

Thanks!
Craig

> -----Original Message-----
> From: samba-bounces+cjackson=abbott-simses.com@lists.samba.org
> [mailto:samba-bounces+cjackson=abbott-simses.com@lists.samba.org]On
> Behalf Of Craig Jackson
> Sent: Friday, September 29, 2006 3:57 PM
> To: samba@lists.samba.org
> Subject: [Samba] Sync unix and samba passwords
> 
> 
> Hi,
> 
> We have an Exchange server (server 2003) that is a domain 
> controller and
> a few Samba file servers that are not part of the Windows domain. The
> Samba servers use their own LDAP directory ( ldapsam backend with
> pam_ldap ) that is synchronized to one openldap directory 
> server but is
> not synchronized to the Windows domain AD. The workstations are all
> local accounts and not members of any domain either. I am happy with
> this arrangement despite having to enter user information twice and
> would rather not change it.
> 
> Goal: I would like to use Services for Unix on the Windows AD 
> controller
> to synchronize linux passwords so that the end user has to change
> password once for email/Samba and once for local computer.
> 
> Problem: When Linux administrator issues the passwd command as in #
> passwd <username> the ldap userPassword attribute is changed
correctly
> but the Samba NT/LM passwords are not also changed.
> 
> What I have already done: Googled the issue and found that unix passwd
> sync in smb.conf is not what I need. Ldap passwd sync = yes is in
> smb.conf. I have found some info on pam_smbpass.so but do not have
> enough information to know if this is what I need and how to use it.
> 
> Or can someone tell me if this will not work at all. Better ideas?
> 
> Thanks!
> Craig
> -- 

Samba docs say that pam_smbpass.so is in fact what I need and I have 
added the following line to /etc/pam.d/common-passwd

password   required   pam_smbpass.so nullok use_authtok try_first_pass

But #passwd <user> doesn't sync the LDAP NT/LM passwords and there is
this
in the log:

 CRON[18769]: PAM adding faulty module: /lib/security/pam_smbpass.so

According to Samba docs, pam_smbpass.so is used to keep the smbpasswd 
(Samba password) database in sync, but does that really mean ONLY 
smbpasswd or any Samba backend?

Thanks.
Craig