LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Is there a way to sync Samba passwords with linux user passwords (http://www.linuxquestions.org/questions/linux-networking-3/is-there-a-way-to-sync-samba-passwords-with-linux-user-passwords-90713/)

MarleyGPN 09-08-2003 10:02 PM

Is there a way to sync Samba passwords with linux user passwords
 
Hi,

When I create new users the login id and password works with telnet and ftp. Is there a way I can have it automatically set the password for samba?

This is what I currently have to do

Create user

adduser someone
# configure that user
smbpasswd
# use same pass that I used on adduser

is there anyway I can have this set up so I donít need to run smbpasswd every time I create a user? For example, would it be possible to have smbd read the password file from /etc/shadow, rather than from /etc/samba/private/smbpasswd ?

Thetargos 09-09-2003 02:09 AM

Yes you can, just make sure that their login/password settings for windows are the same in Linux*, if you are trying to set various linux boxes in SAMBA you have a problem, you cannot have automatic login from within Linux.

To solve your problem about the users and passwords use GnoSamba or SWAT (I preffer the former) you simply tell GnoSamba which users have access to your computer once, and it automatically adds them. The Linux/Linux on SMB is not solved though. The user sitll has to login to the SMB server.

* Windows boradcasts the login options (a security whole (hole), yes... I love the irony of these homophones :D) but warranties(?) that the users will login automatically on trusted(?) systems.

sidmark-2850 09-09-2003 11:59 AM

From man smb.conf

Code:

      passwd chat (G)
              This  string  controls the "chat" conversation that takes places
              between smbd and the local password changing program  to  change
              the  user's  password.  The  string  describes  a  sequence  of
              response-receive pairs that  smbd(8) uses to determine  what  to
              send  to  the  passwd  program  and  what to expect back. If the
              expected output  is  not  received  then  the  password  is  not
              changed.

              This  chat  sequence  is often quite site specific, depending on
              what local methods are used for password control  (such  as  NIS
              etc).

              Note  that this parameter only is only used if the unix password
              sync parameter is set to yes. This sequence is  then  called  AS
              ROOT  when  the  SMB  password  in  the  smbpasswd file is being
              changed, without access to  the  old  password  cleartext.  This
              means  that root must be able to reset the user's password with-
              out knowing the text of the previous password. In  the  presence
              of  NIS/YP,  this means that the passwd program must be executed
              on the NIS master.

              The string can contain the macro %n which is substituted for the
              new  password.  The  chat sequence can also contain the standard
              macros \n, \r,  \t and \s to  give  line-feed,  carriage-return,
              tab  and  space. The chat sequence string can also contain a '*'
              which matches any sequence of characters.  Double quotes can  be
              used  to  collect  strings  with  spaces  in  them into a single
              string.

              If the send string in any part of the chat sequence  is  a  full
              stop  ".",  then  no  string  is  sent. Similarly, if the expect
              string is a full stop then no string is expected.

              If the pam password change parameter is set  to  yes,  the  chat
              pairs  may be matched in any order, and success is determined by
              the PAM result, not any  particular  output.  The  \n  macro  is
              ignored for PAM conversions.

              See also unix password sync,  passwd program , passwd chat debug
              and  pam password change.

              Default: passwd chat = *new*password* %n\n  *new*password*  %n\n
              *changed*

              Example:  passwd  chat = "*Enter OLD password*" %o\n "*Enter NEW
              password*"  %n\n  "*Reenter  NEW  password*"  %n\n  "*Password
              changed*"

      passwd chat debug (G)
              This  boolean  specifies  if the passwd chat script parameter is
              run in debug mode. In  this  mode  the  strings  passed  to  and
              received  from  the  passwd  chat are printed in the smbd(8) log
              with a debug level of 100. This is a dangerous option as it will
              allow  plaintext  passwords  to  be  seen in the smbd log. It is
              available to help Samba admins debug their passwd  chat  scripts
              when  calling  the passwd program and should be turned off after
              this has been done. This option has no effect if the  pam  pass-
              word change paramter is set. This parameter is off by default.

              See also passwd chat , pam password change , passwd program .

              Default: passwd chat debug = no

      passwd program (G)
              The  name  of  a program that can be used to set UNIX user pass-
              words. Any occurrences of %u will  be  replaced  with  the  user
              name.  The user name is checked for existence before calling the
              password changing program.

              Also note that many passwd programs insist in  reasonable  pass-
              words,  such as a minimum length, or the inclusion of mixed case
              chars and digits. This can pose a problem as some clients  (such
              as Windows for Workgroups) uppercase the password before sending
              it.

              Note that if the unix password sync parameter is set to yes then
              this  program  is  called AS ROOT before the SMB password in the
              smbpasswd(5)
              file is changed. If this UNIX password change fails, then  smbd
              will fail to change the SMB password also (this is by design).

              If  the  unix password sync parameter is set this parameter MUST
              USE ABSOLUTE PATHS for ALL programs called, and must be examined
              for  security  implications.  Note that by default unix password
              sync is set to no.

              See also unix password sync.

              Default: passwd program = /bin/passwd

              Example: passwd program = /sbin/npasswd %u


      unix password sync (G)
              This  boolean  parameter controls whether Samba attempts to syn-
              chronize the UNIX  password  with  the  SMB  password  when  the
              encrypted  SMB  password  in  the smbpasswd file is changed.  If
              this is set to yes the program specified in the passwd  program-
              parameter  is called AS ROOT - to allow the new UNIX password to
              be set without access to the old UNIX password (as the SMB pass-
              word  change  code  has no access to the old password cleartext,
              only the new).

              See also passwd program,  passwd chat.

              Default: unix password sync = no


There may be other parameters that I missed. Do a man smb.conf and look for any passwd parameters.

You can set samba to authenticate by pam. You will have to do some reading. I think the pam method sends clear text passwords over the network and that is something that you don't want to happen. If your users have shell access to the samba server, disable them from using the passwd command by chmodding it.

Quote:

This is what I currently have to do

Create user

adduser someone
# configure that user
smbpasswd
# use same pass that I used on adduser
You should set this password to some initial value and have the user change it themself from windows. This way, both unix and samba passwords will be changed immediately.

Cheers


All times are GMT -5. The time now is 01:27 AM.