Andrew Bartlett wrote:
The funny thing about this thread is that pam_smbpasswd shouldn't really affect what happens when a user changes their password via samba ...Buchan Milne wrote:[EMAIL PROTECTED] wrote:hi, i've setup a LDAP server with account information, and compiled samba with ldap support. everything works great, except for the password changes i still have to run two seprate commands ( passwd, smbpasswd ) to change a users password. i've tried to put the pam_smbpasswd.so module into system-auth, but that does work?
Adriaan, if you haven't sorted this out, what are you aiming at doing? Just keeping the unix and samba password in LDAP in sync from a password change via samba, or is it more complex than that?
The documentation doesn't reflect that, unless you make assumptions about what smbpasswd means ... and previous comments on [EMAIL PROTECTED] on it implied it only worked with the smbpasswd file backend.No, pam_smbpasswd is meant for modifying the smbpasswd file, it doesn't do anything else. I found the best solution was to use: unix password sync = yes pam password change = yes passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *LDAP*passwd:*all*authentication*tokens*updated*successfully* (not sure if the passwd chat is necessary) and then modify your /etc/pam.d/passwd to do password changes via LDAP. This ensures that password changes from samba apply the same rules that any other password change would apply. Only problem I have now is if a user does a unix password change, it currently won't change their windows password, but I believe there is a hacked pam_ldap which will do that too. (I have some issues with the idealx stuff, but it should all work out the box on recent Mandrake RPMs).You seem to be in a bit of a mess here... pam_smbpass uses Samba's passdb backend to communicate with smbpasswd, or Samba's LDAP backend. It allows the full range of operations normally available on /etc/shadow: checking and changing passwords, both as root and a normal user.
And (AFAIK) it only solves password changes which occur on a/the DC, the problem remains with users changing passwords from unix client machines, only their unix password will be changed, they will have to manually change their windows password.
Or am I missing something?
Well, 'pam password change' with pam_ldap allows you to keep LDAP passwords in sync, and there are some things (phpgroupware for one) which can authenticate by LDAP but not by pam (so pam_smb is out of the question).This should allow you to keep just one password database, and not use /etc/shadow. Or you can keep then both in sync, by listing both in your PAM configuration. The other thing mentationed here (unix password sync) is a way to sync incoming remote password changes with 2 sources, the smbpasswd file/LDAP equiv and some 'unix' password system. This only matters if you keep the unix password file - you may be better to use pam_smbpass and just use one.
A third option is with Samba 3.0, we have 'ldap password sync', this sets the userPassword attriubute in LDAP via an extended operation, and lets you aim pam_ldap at your LDAP DB. A forth option (again 3.0) is to run winbindd on your PDC, set 'winbind use default domain and use pam_winbind.
Do you mean running winbind on the unix clients? Then you have uid mismatches, so you can't use NFS? Or is there a way to keep the winbind rid/uid/gid mapping consistent between machines?
But the only way to address users on unix clients changing their password is with a hacked up pam_ldap that will change ntPassword and lmPassword.In any case, there is certainly plenty of solutions here...
Regards,
Buchan
--
|----------------Registered Linux User #182071-----------------|
Buchan Milne Mechanical Engineer, Network Manager
Cellphone * Work +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering http://www.cae.co.za
GPG Key http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
