using samba, i've always done smbpasswd -a <username> to get samba working, and then users would reset their samba password.

is there a way to samba point to the local /etc/passwd and /etc/shadow file on the system instead?

Given that /etc/passwd contains much more than users, such daemons and services, I would counsel against trying this; it gives me security shivers. There is also a question as to whether one would wish to give all local users in a multi-user system access to samba shares.

A web search for "samba /etc/passwd" will turn up a number of articles about how to pop users from /etc/passwd into /etc/samba/smbpasswd.

No, because the hashing algorithm used by SMB/CIFS is incompatible with the password hashes in /etc/shadow.

1 members found this post helpful.

good point, but this is what i was thinking:

first, user has to have a valid account in /etc/passwd and shadow.
then, for any user to have samba access to a samba share, their account name needs to be in the smbpasswd file... or wherever samba wants to put it. so when accessing a samba share for a given user account, the account has to both be valid in /etc/passwd and shadow AND the account name has to be listed in the samba smbpasswd file... if so then the windows password where the user is accessing samba from is checked against the linux system password for the account. I'm looking for a way around having to enter passwords twice... I want one password for the user used for both system account login and for samba share from that system. Can samba do this?
I'm thinking it should, because when i use tightvnc for instance to log in remotely i'm using my /etc/shadow password for that to log in. And other remote login software works the same way, I don't have a separate password file for those programs they all reference /etc/shadow.

Thanks, Ser Olmy. I learned something.

reading about samba password hashing now, unfortunately everything that seems to come up is dated 1998 or 2005. Nothing really current.
Can someone elaborate on samba password hashing,
is using samba safe and secure?
the articles talk about samba using DES encryption, and generally whenever "DES" is mentioned results in an automatic "no it's not safe don't use it" response. And it also talks about LanManager and NT encryption, I don't know or remember enough about those so if someone can give me a quick summary that would be great. thanks.

The SMB protocol has gone through numerous revisions since the first product using it, LAN Manager, was launched in the late 1980s. Like many network protocols, security came much as an afterthought. LAN Manager used to send passwords in the clear across the network until a weak LAN Manager hash mechanism was introduced. This in turn was replaced by NTLM, and then improved upon with NTLM v2.

In a network without a centralized account database, a "workgroup" in Windows terms, the NTLM v2 mechanism is still used for authentication, and that's why Samba needs a separate password database. (Samba actually makes use of the user database in /etc/passwd, it's just the passwords that must be stored separately.)

When a client PC attempts to access a SMB/CIFS share which requires authentication, the password is never sent over the network. Instead, a challenge/response mechanism is used, which involves creating a password hash and subjecting it to various mathematical operations. The server sends a "challenge" number, the client returns the result of a certain mathematical algorithm involving this number and the password hash, and the server performs the exact same operation and compares the results.

For this to work, both the server and the client must have access to either the unencrypted password (which a server should never store for security reasons), or a 128-bit MD4 password hash of that password. Since the hashes in /etc/shadow aren't MD4 hashes, they are of no use to Samba, hence the need for a second password hash database. (DES hashes can be used as well, but since that algorithm is seriously outdated, the NTLM protocol in all modern Windows OSes will refuse to accept them unless specifically reconfigured to do so.)

Maintaining two separate password databases is indeed a hassle. It might be possible to configure PAM in such a way that smbpasswd is called automatically whenever an account password is created or changed, but an even better idea would be to eliminate the need for two password databases. Linux can authenticate against just about anything via PAM, so if you configure Samba to be a so-called "Domain Controller" for either an old-style Windows NT Domain or an Active Directory Domain, both Linux and Samba can use that database for authentication.

As a bonus, you would then be able to log on to any computer in the network, be they Windows or Linux systems, using the credentials from the Windows Domain database. If you were to set up several Samba Domain Controllers, the entire account database would automatically be replicated to every Samba DC, passwords and all.

Oh, and if you go for an Active Directory Domain, the somewhat vulnerable MD4-based NTLM protocol is replaced by Kerberos, which has no known security vulnerabilities. Both Samba and Windows will fall back to NTLM v2 if a non-domain member is involved or if a resource is accessed via an IP address rather than a hostname, but you can disable that fallback mechanism if you so wish.

I strongly counsel that your Samba, your Windows, and your Linux-itself, should all be referencing one, central, authentication / authorization authority: LDAP, nee Microsoft OpenDirectory. This should also be the source of web-site authorization and authentication. All of these technologies and interfaces already exist.

Within any organization, there should be "one Source of Truth." One, centrally managed, uniform, authority that all systems consult and conform to. You should not program, nor permit, any system to deviate from this.