samba - Aug 2007 - Automatically running a script on Samba PDC when Windows user changes his password

Hello,

I've installed a Samba 3 PDC using LDAP authentication, along with the
smbldap tools, on Ubuntu GNU/Linux. Everything works fine and (XP Pro)
Windows clients can join my domain.
I would like Samba to automatically run a (home made) script on the PDC
server when the user changes his password on his machine in order to update
it on other servers (for instance our mail server uses another LDAP for
authentication, but there are still many accounts of this kind), so that the
user has to remember only one password for all these applications.
I've already had a look at the "passwd program" line in my
smb.conf file. By
default it was commented like this:

#passwd program = /usr/sbin/smbldap-passwd ?u %u

and "ldap passwd sync" is set to Yes (which seems quite sensible since
I use
LDAP authentication).
The matter is that I was unable to use this line to automatically run a
script as explained above. As an example I've tried to create a file (in a
directory with 777 permissions) with the "touch" command (passwd
program touch mydirectory/myfile), but it has no effect. I may not have
correctly
understood this feature, or maybe it cannot be used with LDAP
authentication.
Do you know whether this kind of trick is possible, and if so how to achieve
it ?

Thanks in advance,

Felip.

You could create a bash/perl script and put your logic inside this
file. Change the 'passwd program' to refer to this script.
I've tried one time define the bash code on a long line but due to
errors I prefer put the code in a file.

On 8/23/07, Felip Many? <apaxeros@gmail.com>
wrote:
> Hello,
>
> I've installed a Samba 3 PDC using LDAP authentication, along with the
> smbldap tools, on Ubuntu GNU/Linux. Everything works fine and (XP Pro)
> Windows clients can join my domain.
> I would like Samba to automatically run a (home made) script on the PDC
> server when the user changes his password on his machine in order to update
> it on other servers (for instance our mail server uses another LDAP for
> authentication, but there are still many accounts of this kind), so that
the
> user has to remember only one password for all these applications.
> I've already had a look at the "passwd program" line in my
smb.conf file. By
> default it was commented like this:
>
> #passwd program = /usr/sbin/smbldap-passwd ?u %u
>
> and "ldap passwd sync" is set to Yes (which seems quite sensible
since I use
> LDAP authentication).
> The matter is that I was unable to use this line to automatically run a
> script as explained above. As an example I've tried to create a file
(in a
> directory with 777 permissions) with the "touch" command (passwd
program > touch mydirectory/myfile), but it has no effect. I may not have
correctly
> understood this feature, or maybe it cannot be used with LDAP
> authentication.
> Do you know whether this kind of trick is possible, and if so how to
achieve
> it ?
>
> Thanks in advance,
>
> Felip.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

On 23/08/07, Felip Many? <apaxeros@gmail.com>
wrote:
> Hello,
>
> I've installed a Samba 3 PDC using LDAP authentication, along with the
> smbldap tools, on Ubuntu GNU/Linux. Everything works fine and (XP Pro)
> Windows clients can join my domain.
> I would like Samba to automatically run a (home made) script on the PDC
> server when the user changes his password on his machine in order to update
> it on other servers (for instance our mail server uses another LDAP for
> authentication, but there are still many accounts of this kind), so that
the
> user has to remember only one password for all these applications.
Maybe you should be tackling this on the Directory server side.

-- 
http://www.suretecsystems.com/services/openldap/

Felip Many? escreveu:
> Hello,
>   
Hello.
> I've installed a Samba 3 PDC using LDAP authentication, along with the
> smbldap tools, on Ubuntu GNU/Linux. Everything works fine and (XP Pro)
> Windows clients can join my domain.
> I would like Samba to automatically run a (home made) script on the PDC
> server when the user changes his password on his machine in order to update
> it on other servers (for instance our mail server uses another LDAP for
> authentication, but there are still many accounts of this kind), so that
the
> user has to remember only one password for all these applications.
> I've already had a look at the "passwd program" line in my
smb.conf file. By
> default it was commented like this:
>
> #passwd program = /usr/sbin/smbldap-passwd ?u %u
>   
Its "-u" not "?u".
> and "ldap passwd sync" is set to Yes (which seems quite sensible
since I use
> LDAP authentication).
>   
These options serve to similar purposes.
"ldap passwd sync" works alone.
"unix password sync" works executing "passwd program" with
"passwd chat"
to sync the unix password.

With LDAP just setting "ldap password sync" is enough and when
"unix
password sync" is set to no, the other options aren't used.

So, you can set "unix password sync" and put another script (it
wasn't
made for that purpose, but works).
Or turn off "ldap password sync" and use "unix password
sync" with a
changed smbldap-tools script, that does what it already does plus what 
you want it to do.
 
> The matter is that I was unable to use this line to automatically run a
> script as explained above. As an example I've tried to create a file
(in a
> directory with 777 permissions) with the "touch" command (passwd
program > touch mydirectory/myfile), but it has no effect.
This script is executed by root, doesn't make much difference the 
permissions assigned to others. The script cannot be executed as a 
normal user.
> I may not have correctly
> understood this feature, or maybe it cannot be used with LDAP
> authentication.
>   
If you didnt had "unix password sync = yes" it will not execute, I
just
don't know what would be the behavior of samba if the command or script 
that you put in there begins to write things to stdout or stderr.
> Do you know whether this kind of trick is possible, and if so how to
achieve
> it ?
>
> Thanks in advance,
>
> Felip.
>   
Take a look at the man page of smb.conf, theres some details to make a 
"passwd program" work, it should honor the password chat too and will 
ever be executed as root.

I use something like that (changing the smbldap-tools script) to sync 
digest hashes for authentication trough squid digest ldap helper.


Regards.

Edmundo Valle Neto

Felip Many? escreveu:
> Hello,
>   
Hello.
> I've installed a Samba 3 PDC using LDAP authentication, along with the
> smbldap tools, on Ubuntu GNU/Linux. Everything works fine and (XP Pro)
> Windows clients can join my domain.
> I would like Samba to automatically run a (home made) script on the PDC
> server when the user changes his password on his machine in order to update
> it on other servers (for instance our mail server uses another LDAP for
> authentication, but there are still many accounts of this kind), so that
the
> user has to remember only one password for all these applications.
> I've already had a look at the "passwd program" line in my
smb.conf file. By
> default it was commented like this:
>
> #passwd program = /usr/sbin/smbldap-passwd ?u %u
>   
Its "-u" not "?u".
> and "ldap passwd sync" is set to Yes (which seems quite sensible
since I use
> LDAP authentication).
>   
These options serve to similar purposes.
"ldap passwd sync" works alone.
"unix password sync" works executing "passwd program" with
"passwd chat"
to sync the unix password.

With LDAP just setting "ldap password sync" is enough and when
"unix
password sync" is set to no, the other options aren't used.

So, you can set "unix password sync" and put another script (it
wasn't
made for that purpose, but works).
Or turn off "ldap password sync" and use "unix password
sync" with a
changed smbldap-tools script, that does what it already does plus what
you want it to do.
> The matter is that I was unable to use this line to automatically run a
> script as explained above. As an example I've tried to create a file
(in a
> directory with 777 permissions) with the "touch" command (passwd
program > touch mydirectory/myfile), but it has no effect.
This script is executed by root, doesn't make much difference the
permissions assigned to others. The script cannot be executed as a
normal user.
> I may not have correctly
> understood this feature, or maybe it cannot be used with LDAP
> authentication.
>   
If you didnt had "unix password sync = yes" it will not execute, I
just
don't know what would be the behavior of samba if the command or script
that you put in there begins to write things to stdout or stderr.
> Do you know whether this kind of trick is possible, and if so how to
achieve
> it ?
>
> Thanks in advance,
>
> Felip.
>   
Take a look at the man page of smb.conf, theres some details to make a
"passwd program" work, it should honor the password chat too and will
ever be executed as root.

I use something like that (changing the smbldap-tools script) to sync
digest hashes for authentication trough squid digest ldap helper.


Regards.

Edmundo Valle Neto