From man smb.conf
passwd chat (G)
This string controls the "chat" conversation that takes places
between smbd and the local password changing program to change
the user's password. The string describes a sequence of
response-receive pairs that smbd(8) uses to determine what to
send to the passwd program and what to expect back. If the
expected output is not received then the password is not
This chat sequence is often quite site specific, depending on
what local methods are used for password control (such as NIS
Note that this parameter only is only used if the unix password
sync parameter is set to yes. This sequence is then called AS
ROOT when the SMB password in the smbpasswd file is being
changed, without access to the old password cleartext. This
means that root must be able to reset the user's password with-
out knowing the text of the previous password. In the presence
of NIS/YP, this means that the passwd program must be executed
on the NIS master.
The string can contain the macro %n which is substituted for the
new password. The chat sequence can also contain the standard
macros \n, \r, \t and \s to give line-feed, carriage-return,
tab and space. The chat sequence string can also contain a '*'
which matches any sequence of characters. Double quotes can be
used to collect strings with spaces in them into a single
If the send string in any part of the chat sequence is a full
stop ".", then no string is sent. Similarly, if the expect
string is a full stop then no string is expected.
If the pam password change parameter is set to yes, the chat
pairs may be matched in any order, and success is determined by
the PAM result, not any particular output. The \n macro is
ignored for PAM conversions.
See also unix password sync, passwd program , passwd chat debug
and pam password change.
Default: passwd chat = *new*password* %n\n *new*password* %n\n
Example: passwd chat = "*Enter OLD password*" %o\n "*Enter NEW
password*" %n\n "*Reenter NEW password*" %n\n "*Password
passwd chat debug (G)
This boolean specifies if the passwd chat script parameter is
run in debug mode. In this mode the strings passed to and
received from the passwd chat are printed in the smbd(8) log
with a debug level of 100. This is a dangerous option as it will
allow plaintext passwords to be seen in the smbd log. It is
available to help Samba admins debug their passwd chat scripts
when calling the passwd program and should be turned off after
this has been done. This option has no effect if the pam pass-
word change paramter is set. This parameter is off by default.
See also passwd chat , pam password change , passwd program .
Default: passwd chat debug = no
passwd program (G)
The name of a program that can be used to set UNIX user pass-
words. Any occurrences of %u will be replaced with the user
name. The user name is checked for existence before calling the
password changing program.
Also note that many passwd programs insist in reasonable pass-
words, such as a minimum length, or the inclusion of mixed case
chars and digits. This can pose a problem as some clients (such
as Windows for Workgroups) uppercase the password before sending
Note that if the unix password sync parameter is set to yes then
this program is called AS ROOT before the SMB password in the
file is changed. If this UNIX password change fails, then smbd
will fail to change the SMB password also (this is by design).
If the unix password sync parameter is set this parameter MUST
USE ABSOLUTE PATHS for ALL programs called, and must be examined
for security implications. Note that by default unix password
sync is set to no.
See also unix password sync.
Default: passwd program = /bin/passwd
Example: passwd program = /sbin/npasswd %u
unix password sync (G)
This boolean parameter controls whether Samba attempts to syn-
chronize the UNIX password with the SMB password when the
encrypted SMB password in the smbpasswd file is changed. If
this is set to yes the program specified in the passwd program-
parameter is called AS ROOT - to allow the new UNIX password to
be set without access to the old UNIX password (as the SMB pass-
word change code has no access to the old password cleartext,
only the new).
See also passwd program, passwd chat.
Default: unix password sync = no
There may be other parameters that I missed. Do a man smb.conf and look for any passwd parameters.
You can set samba to authenticate by pam. You will have to do some reading. I think the pam method sends clear text passwords over the network and that is something that you don't want to happen. If your users have shell access to the samba server, disable them from using the passwd command by chmodding it.
This is what I currently have to do
# configure that user
# use same pass that I used on adduser
You should set this password to some initial value and have the user change it themself from windows. This way, both unix and samba passwords will be changed immediately.