-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jim,
The only advantage that pam_smbpass gives you over the built-in LDAP methods is that it allows the passwords to be migrated WITHOUT a password change (successful auth is enough to trigger the migration in a properly configured PAM setup). If you are planning to force every user to change their password in order to be migrated, there is no need to use pam_smbpass are there are better LDAP built-in tools to accomplish the same thing (that will not require you to jump through the additional hurdle of importing the newly-created smbpasswd file to LDAP). In my case, it was unacceptable to make 10,000 students change their passwords to get them into the smbpasswd file. What we did (note, we were actually using smbpasswd at that time, so it was the obvious choice) is to use the migrate argument (or whatever it is called -- the docs mention it) in order to migrate them into smbpasswd when they logged into our lab next. After a few months we were confident everyone made it in, and we pulled the trigger on using that passdb instead of the unencrypted use of /etc/passwd. Is this clearer now? Deas, Jim wrote: > I need to let my users change their password using PAM to preserve the > existing ldap authentication system. How can I force pam to sync the smb > password to the unix one. > > I am running Fedora 7 package on an x86-64 system. I have smb working > via ldap and sambasam.schema (v3.0.24) I have unix password sync = yes > but it should not come into play as I never plan to reset passwords via > smbd. > > > > In '/etc/pam.d/system-auth' I was trying to use pam_smbpass.so > > The original pam script for password had > > > > password sufficient pam_ldap.so use_authtok > > > > I changed it to: > > > > password requisite pam_ldap.so use_authtok > > password required pam_smbpass.so use_authtok > try_first_pass > > > > > > The problem is I get a token manipulation error. Am I using it wrong? > > > > What would be even better is if someone knows how to do this directly in > Fedora DS so all avenues of changing the password would change both. > Apparently smbpasswd depends on smbd running so that is not an option. I > don't know if pdbedit could do it or be launched as a script directly > from the directory server. - -- ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$&| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHhmOqmb+gadEcsb4RArjdAKCmAEQwCbLSA05PZdIOaTu7wFYoxwCgszTk XCSfXIx6FZP52HVIhcCTZic= =0Taj -----END PGP SIGNATURE-----
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
