1

Nothing found at all on the Net: I'm looking up for an automatical synchonization of linux to samba (NOT Samba to Linux) passwords. I wrote a cgi web form that changes this password directly in the shadow file, using a crypted password (for security reasons I do not want to allow the passwords being stored in cleartext in the logfiles). Not using LDAP. All would be fine if the user logs in for a first time using ssh, but I have users that only use windows, so I cannot ask i.ex. a secretary to do that.

Basically, what I yet did is this: vi /etc/pam.d/common-password

password        required                        pam_smbpass.so nullok use_authtok use_first_pass
  • I also tried changepassword-0.9, but there is a bug that has never been solved by its programmer.
  • Swat is not a solution to me.

I yet found the following sites, but still struggeling around...

-http://uranus.chrysocome.net/linux/smbfs/pam_smbpass.html

-https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/System_Administration_Guide/Configuring_a_Samba_Server-Encrypted_Passwords.html

here some code of my perl cgi script:

# Crypt the password here so that it cannot be read in any logflie
my $cryptedShadowString = `echo "$new_passwd1"|openssl passwd -1 -stdin`;
chomp($cryptedShadowString);
(...)
open($result, '-|') || exec $SUDO, $EXECUTINGSCRIPT, $login, $old_passwd, $cryptedShadowString, $cryptedShadowString;

This will send the encrypted password to another perl script that writes it directly into the shadow file. (All the stuff is shibboleth protected, so I don't care about hackers coming from around the world).

I tried something like that in the execution script, but unfortunately it is not the solution:

    # Do a first login to chat the new password to the samba password file:
sleep 2; # sleep a bit, for the next command:
system(" ( echo '') | exec '/bin/su' $login");

Someone can help me? Thx.

Birgit Ducarroz
  • 13
  • 4
  • I am not sure if I get what you are after. Do you look for a way to set the password for both Samba and Linux from the the CGI script or do you want to autosync the password when it's changed by the user either from Linux or Windows? – Sven Oct 28 '16 at 09:06
  • I want to set the password both in linux and samba, but I am not able to do it for the samba password from the webform in a way that it will be not readable in cleartext in any logfile. I used the method crypt for the linux password, that worked fine, so I think it is maybe the easiest thing to automatically syncronize it to samba. – Birgit Ducarroz Oct 28 '16 at 09:11
  • Isn't there any possibility to change the samba password, writing it crypted into the samba password file as I did it for the shadow? Then the auto sync to linux would be no problem. – Birgit Ducarroz Oct 31 '16 at 08:12

1 Answers1

-2

This is actually what a domain is for. Use either AD domain, either samba as DC, or just a LDAP as the password backend. Currently you are reinventing the wheel, and this wheel is in the form of a triangle.

Furthermore, you are trying to get the help in polishing what you think is a solution for a probably common task, while not mentioning what task is that. I bet it is standard unless you are doing some advanced research (but I'm sorry, your post clearly doesn't make that impression).

drookie
  • 8,051
  • 1
  • 17
  • 27
  • I cannot use neither AD, samba as DC or LDAP because of non technical company policy reasons. – Birgit Ducarroz Oct 28 '16 at 09:00
  • Then you're doomed. – drookie Oct 28 '16 at 09:07
  • If this is such a common task as you think, why is there no one that can help me? – Birgit Ducarroz Oct 31 '16 at 08:13
  • Because everyone except this one downvoter seem to agree with me about reinventing triangle wheel. And you still didn't mention what task is that. You want people to help you with a solution, but sorry, your solution is ugly. People tend to stick to more elegant ones, which I've already described. – drookie Oct 31 '16 at 08:26
  • I don't think that everyone agrees and I don't give up. Found this: https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html but since I am not a pam specialist, it yet does not work. Maybe someone could help me anyway. In technike you never are doomed, you just don't have to give up. – Birgit Ducarroz Nov 03 '16 at 09:27