I am looking to move to encrypted passwords -- pam_smbpass looks like a very attractive option to me. However, here is my problem: the way a user FIRST logs in, 90% of the time, is in the lab, through a Win98 and Samba machine. Therefore, the user MUST be able to login with their new account/password (or for that matter, existing user account/password pre-migration) to Samba first. Our account creating procedure is the following:
1) Account is created 2) User comes to support and checks to see if account is ready 3) User changes password (from privileged account at support desk, akin to sudo) 4) User walks away and typically goes to try their account on lab PC's, or if not that time, at least will log in for his/her first time to a lab PC ...my assumption is that in this case, the password change will take care of the creation/password changing of the smbpasswd entry. However, what about accounts that are in our /etc/passwd already? Does pam_smbpass update passwords in smbpasswd WITHOUT encrypted passwords turned on (something akin to 'update encrypted'), or must I turn encryption on FIRST, thus making it impossible for any user to log onto a lab PC (and therefore not allowing them to access any other means of logging into the machine?) Also, one final question... the pam.conf entries: auth optional /lib/security/pam_smbpass.so migrate ...and... password required /lib/security/pam_smbpass.so use_authok try_first_pass / migrate ...do these only affect first logins, or does this mean any user who properly authenticates on our machines (via telnet, ssh) will have their password synced with smbpasswd? BASICALLY, to sum up... this is what I would /like/ to have happen, and maybe someone can tell me how close I can come to the ideal: 1) Compile/install Samba (Samba is currently running, but an update to 2.2.7a is in order anyway) and modify pam.conf (HP-UX) to include the above modules 2) Wait awhile for users to login through all services -- as many as possible (can a sync be triggered by, for example and imapd or pop3d login? many of our users don't bother with interactive logins), INCLUDING Samba while encrypted passwords are turned off. 3) When it appears as if enough users have logged in (so that we are not bombarded with users that cannot do Samba logins in the lab and will need assistance from staff), "flip the switch" as it were to start using encrypted passwords. Is all of that possible? ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | | Ryan Novosielski - Jr. UNIX Systems Admin |$&| |__| | | |__/ | \| _| | [EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent. | IST/ACS - New Jersey Medical School - C630 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba