4

I run a small Samba 4.4 server, and I would like to keep the Samba password database in sync with the Unix password database. I would like the Samba password to be updated when a user changes their password with the traditional Unix passwd program. I do not think I want to go through the complexity of configuring the machine to use winbind.

It appears you used to be able to use this using the pam_smbpass module, and most of the documentation I find refers to this. However, it appears this was removed in Samba 4.4 with this commit message:

pam_smbpass: REMOVE this PAM module

This pam module causes GPLv3, thread-unsafe Samba code to be directly loaded into the address space of many system services. The code in question was not expected to run in this context, and while using the Samba, rather than the system password file is a admirable goal, this needs to be done over inter-process communication, such as is done by pam_winbind.

pam_winbind is not a total replacement, as the migrate functionality used to keep the Samba password up to date with the system password is not present, but otherwise can provide essentially the same services.

Andrew Bartlett

Signed-off-by: Andrew Bartlett Reviewed-by: Jeremy Allison

I believe the functionality I want is the "migrate functionality used to keep the Samba password up to date with the system password" which is the one thing that pam_winbind apparently doesn't provide. What other simple options do I have to manage Samba passwords with the normal Unix utilities?

This server runs FreeBSD 10.3 and Samba 4.4, however I welcome any suggestion, even those that aren't FreeBSD specific.

Kaypro II
  • 292
  • 1
  • 4
  • 11
  • 1
    The typical approach is to have all user accounts in LDAP instead, I think. – HBruijn Sep 01 '17 at 06:49
  • LDAP is something else I was hoping to avoid, since it's a small standalone server. – Kaypro II Sep 01 '17 at 15:44
  • Is having a local LDAP server really the solution to this ? i mean... who is keeping the samba passwords synchronized with the system (linux) passwords when the users are supposed to use a single cli to set their passwords ? (like passwd) what single command are the users supposed to use which still obeys the pam stack to ensure the password quality, history etc ? – Axel Werner Jun 16 '19 at 10:18

1 Answers1

1

Maybe you can get something working with pam_script

ptman
  • 27,124
  • 2
  • 26
  • 45
  • I'll look into that. This link seems to have some information about issues someone had using `pam_exec` for this: https://lists.fedoraproject.org/pipermail/users/2011-November/406858.html – Kaypro II Sep 01 '17 at 15:52
  • This page also documents some issues that prevented someone from using `pam_exec` for the password change use case: https://utcc.utoronto.ca/~cks/space/blog/linux/PamExecWhyNot. Apparently, as of 2016, `expose_authtok` isn't supported when you're changing passwords, so you can't get at the new one. – Kaypro II Sep 01 '17 at 16:12
  • Fine, how about pam_script? – ptman Sep 01 '17 at 18:20
  • I'm going to look into it. I just wanted to gather those links here in case they help someone. – Kaypro II Sep 01 '17 at 23:22