samba - May 2007 - pam_smbpass migrate & null passwords

Hi!

I'm configuring Samba for Unix<->Samba account synchronization and
have
come across a situation which I like, but cannot explain with absolute 
certainty, and am therefore worried about security.

I have set the following:
(Debian uses a bit different structure, but I have expanded @includes in 
this email)

1) Samba -> Unix password sync

    /etc/samba/smb.conf:
      unix password sync = yes
      pam password change = yes

    /etc/pam.d/samba:
      auth     requisite pam_unix.so nullok_secure
      auth     optional  pam_smbpass.so migrate
      account  required  pam_unix.so
      session  required  pam_unix.so

      (don't know why auth, account and session are @included in Debian
       by default, doesn't Samba only use pam for password updates?)

      password requisite pam_unix.so nullok obscure min=4 max=8 md5
      password required  pam_smbpass.so nullok use_authtok try_first_pass

2) Unix -> Samba password sync

    /etc/pam.d/common-password:
      auth     requisite pam_unix.so nullok_secure
      auth     optional  pam_smbpass.so migrate


Now here's what concerns me.

If I do "smbpasswd -an someuser" to add a user with a null password, 
that user will not be able to set his password using smbpasswd, if he 
leaves the old password field empty. Is this observation correct?

Users also cannot smbpasswd -a(dd) themselves; this requires root 
access(direct access to smbpasswd file), right?

I understand that pam_smbpass's migrate option is meant for 
cleartext->encrypted password transition, and that makes perfect sense, 
since in that case the user (-> pam) knows the old password, and can 
just set the password again, this time using encryption.

The thing is, migrate does even more for me when I login using SSH!

It creates the samba user, if it doesn't exist, and it set's the
user's
Samba password, to his Unix password, regardless of what it is.

Now, while this seems very useful to me, I am worried because I haven't 
seen it used like this in any of the guides on the web.

I assume what's going on is that pam_smbpass is executed by SSH before 
dropping privileges, and it thus enables it to directly access the 
smbpasswd file. Is this what's going on here?

If it is, why is this a silent feature? I haven't seen it mentioned in 
anywhere. Are there any security considerations (besides any possible 
vulnerabilities in pam_smbpass itself)?

Regards

-- 

Jaka Jan?ar
http://jaka.kubje.org/