running samba: 2.2.5
kernel: 2.4.18-17
distro: RH 8.0

How can the samba users change their own samba username/passwords remotely? My idea is to have a web page ..That page should have at least the fields username and password. And of course the button Submit. As soon as the user hits submit, that information will go straight to the PAM on linux. And then PAM will do
the job of authenticating the user and change the samba password for him. Does it sound too crazy? Has anyone done it before?

However, if I compile samba --with-pam all the info will go in clear text. And samba will bypass PAM in case I change the samba.conf line "encrypt passwords=yes". So..I'm in a dilemma as you can see.

My idea is to have the users [over 500] change their own username/password as secure as possible. Any ideas?

I thought well, they can connect via ssh and just let them run smbpasswd utility....but I want something simpler for these windows users. They don't even know how to ftp their own website...

thanks,
el chupacabra

From the help files...

http://xxx.xx:10000/samba/swat.cgi/swat/help/smb.conf.5.html#PASSWORDSERVER

password server (G)

By specifying the name of another SMB server (such as a WinNT box) with this option, and using security = domain or security = server you can get Samba to do all its username/password validation via a remote server.

This option sets the name of the password server to use. It must be a NetBIOS name, so if the machine's NetBIOS name is different from its Internet name then you may have to add its NetBIOS name to the lmhosts file which is stored in the same directory as the smb.conf file.

The name of the password server is looked up using the parameter name resolve order and so may resolved by any method and order described in that parameter.

The password server much be a machine capable of using the "LM1.2X002" or the "NT LM 0.12" protocol, and it must be in user level security mode.

NOTE: Using a password server means your UNIX box (running Samba) is only as secure as your password server. DO NOT CHOOSE A PASSWORD SERVER THAT YOU DON'T COMPLETELY TRUST.

Never point a Samba server at itself for password serving. This will cause a loop and could lock up your Samba server!

Do you have a PDC running in the network, or an LDAP server?

I'm posting an email reply that a Samba Developer [Jerry Carter] gave to a co-worker. I'm posting it so everybody can benefit from it.
I learnt a lot from his reply....

> How can the samba users change their own samba username/passwords?
> > I remember you mentioned something like creating a web page in Perl?

A: That was for password synchronization. If you just want to change the
smbpasswd entry, use the CTRL+ALT+DEL -> Change password option of Windows
NT+. Should work out of the box.

> > That page should have at least the fields username and password.
> > And of course the button Submit. As soon as the user hits submit, that
> > information will go straight to the PAM on linux. And then PAM will do
> > the job of authenticating the user and change the samba password for
> > him.
> >
> > However, if I compile samba --with-pam all the info will go in
> > clear text. And samba will bypass PAM in case I change the samba.conf
> > line "encrypt passwords=yes". So..I'm in a dilemma as you can see.

A: If you compile with the --with-pam but set "encrypt passwords = yes", smbd
will always use the smbpasswd file for authentication (using NTLMv1, not
clear text). However, if you want to use pam for password changes,
set "pam password change = yes" in smb.conf and set an appropriate
"password chat" string.