Re: SMB passwords etc (was "How can I help ?")

To: debian-security@lists.debian.org
Subject: Re: SMB passwords etc (was "How can I help ?")
From: Freddie <freddie@ns1.nowait.net>
Date: Thu, 15 Jun 2000 01:47:12 +0930
Message-id: <[🔎] 4.3.1.2.20000615014612.00a90d60@ns1.nowait.net>
In-reply-to: <Pine.LNX.4.21.0006141348060.613-100000@zk201.girton.cam.ac .uk>
References: <[🔎] 20000614133415.A1038@jroger.in-berlin.de>

At 22:40 14/06/2000, Zak Kipling wrote:

On Wed, 14 Jun 2000, Sebastian Rittau wrote:

>> [stuff about encrypted SMB passwords]
>
> But using this option prevents you from using the global /etc/shadow
> file, which is problematic in some cases.

True. Samba has a "password sync" option to enable SMB password changes to
automatically update the unix password file too (though it can be
troublesome to get this working smoothly...)

I'm no PAM or SMB expert, but I would imagine (if it hasn't been done) it
would be feasible to make a stacked "password" module to do the reverse,
ie to update the SMB password (including optionally creating the entry in
the smbpasswd file if it doesn't exist) when the "passwd" command is used
to change the unix password.

A mechanism would obviously be required to prevent a loop situation when
both options are used simultaneously. If Samba carried out the actual SMB
password update via PAM, then this should allow for the required
flexibiliity, with either one or both off the unix/SMB password setting
modules used by passwd and smbd as desired. This would hopefully eliminate
the need for the "password sync" option with its dependence on the precise
prompt string produced by the "passwd" command.

--
Zak Kipling, E114 Wolfson Court, Clarkson Road, Cambridge, CB3 0EH.
Tel. (01223) 509524; pager 04325 361627; ICQ# 62661452; Ask for PGP key
Internet chat: telnet to zk201.girton.cam.ac.uk and log in as "talk".

"As long as the superstition that people should obey unjust laws exists,
so long will slavery exist." -- M. K. Gandhi

--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

This was posted to samba-technical within the last few days:

<begin quote>
From: Peter Samuelson <peter@cadcamlab.org>
To: Multiple recipients of list SAMBA-TECHNICAL
        <samba-technical@samba.org>
Subject: ANNOUNCE: pam_pwexport, Unix->SMB password changes
Date:   Tue, 13 Jun 2000 22:08:43 +1000

[[posted to samba-ntdom and samba-technical]]

More than one user has recently asked about Unix->Samba password sync.

You can go the *other* direction with those chat options in smb.conf,
and Samba even has an option `update encrypted' for using cleartext
passwords and populating the smbpasswd file when people change them.

But when a user executes `passwd' or `yppasswd' on the Unix system,
Samba has no way of knowing, so your NT password gets out of sync.

Until now.

For all you out there who use PAM-enabled Unix systems (that means most
flavors of Linux and Solaris, and recently HP-UX, and possibly others I
don't know about), you may wish to give this a shot:

  http://peter.cadcamlab.org/misc/pam_pwexport-0.0.tar.gz

It sits and snoops whenever a user enters or changes a password through
PAM, and sends the passwords off to be processed by an arbitrary
PAM-unaware executable.  That means:

* For all logins (ftp, ssh, telnet, pop3, etc) you can grab the
  password and use it to populate your local smbpasswd file.  This is
  akin to the smb.conf `update encrypted' option, useful for migration
  from a Unix environment to a mixed Unix/NT environment.

* For Unix password changes, you get both the old and new password, so
  you can either do the above, or update an NT domain controller (or
  remote Samba domain controller).  Assuming your NIS domain controller
  is PAM-aware, this should work for `yppasswd' as well.  (Untested.)

* Although I wrote it with Samba in mind, it is by no means specific to
  smbpasswd; other similar "password migration" scenarios should work
  just as well.

Like most PAM modules, it's not very hard to set up.  Included is an
example glue script for making it work with smbpasswd.

BUT: It's a 0.0 release and has only been tested on Linux-PAM.  It may
work on the other Unices, but I don't have Solaris and I haven't gotten
a chance to test on HP-UX yet.  It's also missing some error checking
and other polish.  (I'll gladly take patches.)

ALSO: pam_pwexport won't work properly without a small patch, included,
to fix a bug in Linux-PAM 0.72.

Enjoy.  I did.  (PAM modules are much easier to write than you think.)

Peter
<end quote>

Looks like what you're after :)

Freddie

Reply to:

References:
- Re: How can I help ?
  - From: Sebastian Rittau <srittau@jroger.in-berlin.de>

Prev by Date: Re: SMB passwords etc (was "How can I help ?")
Next by Date: Re: How can I help ?
Previous by thread: Re: SMB passwords etc (was "How can I help ?")
Next by thread: Re: How can I help ?
Index(es):
- Date
- Thread