Buchan Milne wrote: > > [EMAIL PROTECTED] wrote: > > hi, > > > > i've setup a LDAP server with account information, > > and compiled samba with ldap support. > > > > everything works great, except for the password changes > > i still have to run two seprate commands ( passwd, smbpasswd ) > > to change a users password. > > > > i've tried to put the pam_smbpasswd.so module into > > system-auth, but that does work? > > > > No, pam_smbpasswd is meant for modifying the smbpasswd file, it doesn't > do anything else. > > I found the best solution was to use: > > unix password sync = yes > pam password change = yes > passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n > *LDAP*passwd:*all*authentication*tokens*updated*successfully* > > (not sure if the passwd chat is necessary) > > and then modify your /etc/pam.d/passwd to do password changes via LDAP. > This ensures that password changes from samba apply the same rules that > any other password change would apply. > > Only problem I have now is if a user does a unix password change, it > currently won't change their windows password, but I believe there is a > hacked pam_ldap which will do that too. > > (I have some issues with the idealx stuff, but it should all work out > the box on recent Mandrake RPMs).
You seem to be in a bit of a mess here... pam_smbpass uses Samba's passdb backend to communicate with smbpasswd, or Samba's LDAP backend. It allows the full range of operations normally available on /etc/shadow: checking and changing passwords, both as root and a normal user. This should allow you to keep just one password database, and not use /etc/shadow. Or you can keep then both in sync, by listing both in your PAM configuration. The other thing mentationed here (unix password sync) is a way to sync incoming remote password changes with 2 sources, the smbpasswd file/LDAP equiv and some 'unix' password system. This only matters if you keep the unix password file - you may be better to use pam_smbpass and just use one. A third option is with Samba 3.0, we have 'ldap password sync', this sets the userPassword attriubute in LDAP via an extended operation, and lets you aim pam_ldap at your LDAP DB. A forth option (again 3.0) is to run winbindd on your PDC, set 'winbind use default domain and use pam_winbind. In any case, there is certainly plenty of solutions here... Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba