Ryan, That is close. We have several hundred unix accounts used by our Mac clients via pam/ldap authentication. Here is the scenario. Consider 300 Macs tired of native file services and willing to use smb. I can't move them all in one year much less one weekend. Their account/password must be valid for both realms. Currently no password or user data exist for the smb side. In small systems I could run smbpasswd -a <macuser> for all users but that does not address future password issues. It is also an additional step when adding users to the system. What would be slick is an ldap launched app that changed the smbpassword whenever the unix one was changed. Same thing with a new unix user.
-----Original Message----- From: Ryan Novosielski [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 12:58 PM To: Deas, Jim Cc: Scott Lovenberg; Denis Cardon; samba@lists.samba.org Subject: Re: Sync passwords unix/smb with FDS backend? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The PAM module I mentioned is not for sync, really, but for initial migration from /etc/passwd to an NT-hashed password store (in smbpasswd format). If you're trying to sync passwords (a person has accounts in both places with working passwords on both sides already and just wants them both to change at the same time), then there are other ways to handle this natively. Deas, Jim wrote: > Sorry about the acro, I am working with Fedora Directory Server (ldap). > Currently user passwords stored in FDS can be changed from netatalk > (apple protocol), FDS web interface, or unix/passwd via the PAM > interface. To hit all three of these areas I would think that the > password sync would need to somehow be down in FDS. > Looking forward I would like to find an ldap solution. Anything else > will cause additional steps when I add new users to the network. > I will read through pbedit but unless I can trigger it through ldap I > don't know what good it will do. > > JD > > > > -----Original Message----- > From: Scott Lovenberg [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 09, 2008 12:43 PM > To: Ryan Novosielski > Cc: Denis Cardon; samba@lists.samba.org; Deas, Jim > Subject: Re: Sync passwords unix/smb with FDS backend? > > Ryan Novosielski wrote: > Denis Cardon wrote: >>>> Hi Jim, >>>>> Using simple authentication I have been able to tie FDS to Samba >> 3.x.24. >>>>> Knowing that the unix passwd and smb passwd are different, dare I >> ask >>>>> how difficult it would be to have them sync? Most of my users are >> using >>>>> netatalk w/ posix user info and MD5 password. I would like to swing >> this >>>>> over to samba without the worries of two passwords per user. I have >> seen >>>>> blips on this but not directly related to FDS >>>>> >>>> if you store both your samba and your unix password in the ldap, you >> can >>>> get them in sync by updating both of them when one change its >> password. >>>> You'll need to update the smb.conf file to take that into account for >>>> the windows part, and update your other password changing apps >> accordingly. >>>> If what you want is in fact getting a NTLM hash from the existing md5 >>>> hash, I'm afraid it won't be possible. Users will have to change >> their >>>> password once to update both ntlm and md5 password hash. > Not entirely true, or at least it wasn't last time I tried this. For >> me, > I used a method that included a PAM module that, on successful auth > (actually, for HP-UX, any auth, which was unfortunate, since they have > no 'requisite' directive in PAM), populated the smbpasswd file. > > I don't know what FDS is, but it seems to me you could go this route >> and > then convert the smbpasswd file to whatever you wanted via pdbedit. > > =R > >> > Scratch my last message about FDS; I was thinking of Apache Directory > Server. FDS is pretty mature. Sorry about that. - -- ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$&| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHhTVgmb+gadEcsb4RAqMjAJ0WTEmNaf0Ch45Sxdds/zRYoYDZowCfaX/A 9Np+27j7yavYzSD2FeJWA00= =FOhp -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba