On 17/06/2019 10:22, Axel Werner via samba wrote:> Dear SAMBA Experts,
>
> 2015 Andrew stated on a redhat bugreport that you (samba.org) are going to
> drop pam_smbpass.o from the samba sources, which then happened with samba 4
> as i can see. however... to me and it seems many others this seems to be a
> problem now, since this module was often used to keep the users samba
> passwords in sync with the (leading) system passwords on "mixed"
systems,
> where the users are supposed to have classic linux accounts (for ssh login)
> AND also want to use samba to conveniently access files from their windows
> workstations. Now you might ask, why then isnt the samba joined to the
> existing windows domain or AD?
OK, why not join the domain ?> several reasons for that. most likely
> because the linux system/samba servers must be autonomous using its own
> local linux accounts and may not use other authorities. so
> security/authority separation.
How can that be a valid reason to not join the domain ?
If you have the same username & password in AD and on your Linux system,
you can log into either the Linux system or a domain member, so why not
make life easier and actually join the domain ?>
> pam_smbpass.o seem to solved that problem for lots of people back then.
> keeps it simple, obeys pam stacks together with many other pam modules and
> simply puts the users "new password" into the local samba SAM.
problem
> solved.
>
> since the tool is gone for several years now, the question that still seems
> to be there is, how to replace that module? how to solve the
> authority/synchronisation problem within a single server, when you want
> users to use "passwd" or any other single command interface to
maintain
> their passwords for both worlds? is the solution to have a local ldap
> answer ? will this keep the passwords synced, while having several PAM
> modules to achieve a strong password policy?
>
> i searched around for weeks and still didnt found anything promising that
> might offer something similar and simple as pam_smbpass.so for the
> "password" pam stack.
> So im pretty lost now, hoping you can push me in the right direction or
> have an idea how to solve the PW sync problem in 2019 in a way where the
> linux accounts are the the leading authority so we can achieve a proper
> password policy and complexity samba didnt seem to support.
>
> thanks for any hint in advance!
There is now the possibility to sync passwords from a Samba AD DC, see
here for how to do it:
https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP
Rowland