samba - Jun 2019 - 2019 , yet a replacement for pam_smbpass.o ?

Dear SAMBA Experts,

2015 Andrew stated on a redhat bugreport that you (samba.org) are going to
drop pam_smbpass.o from the samba sources, which then happened with samba 4
as i can see. however... to me and it seems many others this seems to be a
problem now, since this module was often used to keep the users samba
passwords in sync with the (leading) system passwords on "mixed"
systems,
where the users are supposed to have classic linux accounts (for ssh login)
AND also want to use  samba to conveniently access files from their windows
workstations. Now you might ask, why then isnt the samba joined to the
existing windows domain or AD?  several reasons for that. most likely
because the linux system/samba servers must be autonomous using its own
local linux accounts and may not use other authorities. so
security/authority separation.

pam_smbpass.o seem to solved that problem for lots of people back then.
keeps it simple, obeys pam stacks together with many other pam modules and
simply puts the users "new password" into the local samba SAM. problem
solved.

since the tool is gone for several years now, the question that still seems
to be there is, how to replace that module? how to solve the
authority/synchronisation problem within a single server, when you want
users to use "passwd" or any other single command interface to
maintain
their passwords for both worlds? is the solution to have a local ldap
answer ? will this keep the passwords synced, while having several PAM
modules to achieve a strong password policy?

i searched around for weeks and still didnt found anything promising that
might offer something similar and simple as pam_smbpass.so for the
"password" pam stack.
So im pretty lost now, hoping you can push me in the right direction or
have an idea how to solve the PW sync problem in 2019 in a way where the
linux accounts are the the leading authority so we can achieve a proper
password policy and complexity samba didnt seem to support.

thanks for any hint in advance!

regards

Axel Werner
email: axel.werner.1973 at gmail.com

On 17/06/2019 10:22, Axel Werner via samba wrote:
> Dear SAMBA Experts,
>
> 2015 Andrew stated on a redhat bugreport that you (samba.org) are going to
> drop pam_smbpass.o from the samba sources, which then happened with samba 4
> as i can see. however... to me and it seems many others this seems to be a
> problem now, since this module was often used to keep the users samba
> passwords in sync with the (leading) system passwords on "mixed"
systems,
> where the users are supposed to have classic linux accounts (for ssh login)
> AND also want to use  samba to conveniently access files from their windows
> workstations. Now you might ask, why then isnt the samba joined to the
> existing windows domain or AD?
OK, why not join the domain ?
>   several reasons for that. most likely
> because the linux system/samba servers must be autonomous using its own
> local linux accounts and may not use other authorities. so
> security/authority separation.
How can that be a valid reason to not join the domain ?
If you have the same username & password in AD and on your Linux system, 
you can log into either the Linux system or a domain member, so why not 
make life easier and actually join the domain ?
>
> pam_smbpass.o seem to solved that problem for lots of people back then.
> keeps it simple, obeys pam stacks together with many other pam modules and
> simply puts the users "new password" into the local samba SAM.
problem
> solved.
>
> since the tool is gone for several years now, the question that still seems
> to be there is, how to replace that module? how to solve the
> authority/synchronisation problem within a single server, when you want
> users to use "passwd" or any other single command interface to
maintain
> their passwords for both worlds? is the solution to have a local ldap
> answer ? will this keep the passwords synced, while having several PAM
> modules to achieve a strong password policy?
>
> i searched around for weeks and still didnt found anything promising that
> might offer something similar and simple as pam_smbpass.so for the
> "password" pam stack.
> So im pretty lost now, hoping you can push me in the right direction or
> have an idea how to solve the PW sync problem in 2019 in a way where the
> linux accounts are the the leading authority so we can achieve a proper
> password policy and complexity samba didnt seem to support.
>
> thanks for any hint in advance!
There is now the possibility to sync passwords from a Samba AD DC, see 
here for how to do it:

https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP

Rowland