samba sync password with unix password on debian wheezy

I installed samba on my server and I am trying to write a script to spare me the two steps to add user, e.g.:

adduser username
smbpasswd -a username

My smb.conf states:

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

Further reading brought me to pdbedit man page which states:

   -a     This option is used to add a user into the database.  This  com-
          mand needs a user name specified with the -u switch. When adding
          a new user, pdbedit will also ask for the password to be used.

          Example: pdbedit -a -u sorce
          new password:
          retype new password

          Note

          pdbedit does not call the unix password syncronisation script if
          unix password sync has been set. It only updates the data in the
          Samba user database.

          If you wish to add a user and synchronise the password that  im-
          mediately, use smbpasswd’s -a option.

So... now I decided to try adding a user with smbpasswd:

1st try, unix user still does not exist:

root@raspberrypi:/home/pi# smbpasswd -a newuser
New SMB password:
Retype new SMB password:
Failed to add entry for user newuser.

2nd try, unix user exists:

root@raspberrypi:/home/pi# useradd mag
root@raspberrypi:/home/pi# smbpasswd -a mag
New SMB password:
Retype new SMB password:
Added user mag.
# switch to user pi, and try to switch to mag
root@raspberrypi:/home/pi# su pi
pi@raspberrypi ~ $ su mag
Password: 
su: Authentication failure

So, now I am asking myself:

how do I make samba passwords sync with unix passwords?
where are samba passwords stored?

Can someone help enlighten me?

Oz123

Posted 2012-09-23T08:00:35.513

Reputation: 583

The passwords are stored within the databases in /var/lib/samba/, I believe passwords are in secrets.tdb but I am not certain. As for your former question, I doubt there is an easy way. – Zoredache – 2012-09-23T08:05:59.533

Answers

Well... the missing link was:

 libpam-smbpass

So, after installing this packages it works as expected. The Internet's long term memory just brings partial information sometimes. So in order to fight this I am publishing here the correct link how to sync samba passwords with unix passwords, and also my own test.

root@raspberrypi:/home/pi# passwd mag2
passwd: user 'mag2' does not exist
root@raspberrypi:/home/pi# useradd mag2
root@raspberrypi:/home/pi# echo "mag2:12345" | chpasswd
root@raspberrypi:/home/pi# smbclient -L localhost -U mag2
Enter mag2's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    IPC$            IPC       IPC Service (raspberrypi server)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]

    Server               Comment
    ---------            -------
    RASPBERRYPI          raspberrypi server

    Workgroup            Master
    ---------            -------
    WORKGROUP            
root@raspberrypi:/home/pi# su pi
pi@raspberrypi ~ $ su mag2
Password: 
Added user mag2.

mag2@raspberrypi:/home/pi$

I hope this helps someone else.

update 2017:

libpam-smbpass is deprecated. It seems what replaced it is pam_winbindd. You can install the package libpam-winbind to get it. This however, still does not sync samba passwords with your unix passwords. Instead it allows you to authenticated to unix with a Windows Authentication server (AD). You can find info on that here: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Oz123

Posted 2012-09-23T08:00:35.513

Reputation: 583

@ubiquibacon I've edited this answer so that the link now points to the archived version from the Wayback Machine (thanks to the good work done by the Internet Archive people). – Anthony Geoghegan – 2016-05-09T20:27:24.920

1pam_smbpass appears to be deprecated – alex.forencich – 2017-09-18T06:01:52.477

Yes, I can't find libpam-smbpass at a Debian 9.1 system anymore and it also doesn't work for me. How can it be that this simple question has been asked so many times and still has no answer? – Frank Breitling – 2017-11-21T17:20:07.237

@Oz123 Neither libpam-winbind can NOT be found in CentOS7. – CHENJIAN – 2018-10-20T13:49:32.603

2Link is broken, that is why we put valuable info in the answer :/ – ubiquibacon – 2014-04-19T17:38:57.277

Wanted to comment on previous answer but could not do it for lack of reputation points. Tried to put the full content on this answer but could not as it said that looked like spam. here is the access to the full content on the wayback machine, and following is the brief version of main points:

Unix and Samba password sync on Debian Etch

Install the following packages:

# apt-get install libpam-smbpass smbclient

Unix -> Samba

In order to update the Samba password whenever a user changes their Unix password, change

/etc/pam.d/common-password: from

password   required   pam_unix.so nullok obscure min=4 max=8 md5

password   requisite**  pam_unix.so nullok obscure min=4 max=8 md5
password   required   pam_smbpass.so nullok use_authtok try_first_pass

Changing "required" to "requisite" for pam_unix will make sure that if Unix password change fails, the execution of plugins ends immediately.

In order for this to work, users must already have Samba accounts, and their Samba passwords must match their Unix passwords. Because this is not necessarily the case, we must change

/etc/pam.d/common-auth: from

auth    required        pam_unix.so nullok_secure

auth    requisite       pam_unix.so nullok_secure
auth    optional        pam_smbpass.so migrate

This will create a Samba user, if it doesn't already exist, and change it's password to the Unix password, whenever the user logs in using SSH or any other service that uses default system (common-auth) authentication.

You should see a message Added user when logging in using SSH with an account that doesn't already have a Samba account.

Because this will also create a Samba account for root, you might want to disable root access in Samba (Debian Etch has it disabled by default):

/etc/samba/smb.conf:

invalid users = root

Caveat: This will not work if the user logs in via SSH or other services without using a password (for example by using public/private key authentication). In this case, PAM won't have the plain-text password, which is needed to create the Samba password.

Notice: When you modify common-password to also require Samba passwords updates, any currently logged in users will not be able to change their password using "passwd" until they re-login, unless they already have an existing Samba account with a password equal to their Unix password.

Samba -> Unix

We instruct Samba to use PAM when changing passwords:

/etc/samba/smb.conf:

unix password sync = yes
pam password change = yes

Restart Samba using /etc/init.d/samba restart.

Configure PAM to support changing of password by Samba by adding @include common-password:

/etc/pam.d/samba:

@include common-auth
@include common-account
@include common-session
@include common-password

This will use the same mechanism to change passwords when using Samba as when using "passwd". This means it will require an update of the Unix password before attempting to change the Samba password.

Creating new users

use chpasswd to avoid error:

# useradd test
# echo “test:newpass” | chpasswd

Joru

Posted 2012-09-23T08:00:35.513

Reputation: 31

pam_smbpass appears to be deprecated – alex.forencich – 2017-09-18T06:02:00.117

@Joru By source compiling of samba 4.9.1 on CentOS7, there is no file of pam_smbpass.so. Can you help me? link: https://stackoverflow.com/questions/52932070/samba-4-9-1-password-sync-with-centos7-root-password

– CHENJIAN – 2018-10-22T14:50:45.750

@CHENJIAN SAMBA.ORG removed pam_smbpass.so from the sources with SAMBA 4. So last Samba version i was able to find it was samba 3.9.16 – Axel Werner – 2019-06-16T10:29:24.503