how to share Linux user passwords and Samba passwords

Use PAM's support module for /etc/passwd.

Update:

There is a fundamental reason why you cannot unify these authentication mechanisms in any simple way.

Unix and Linux /etc/passwd authentication requires that the user's password be presented to the server. This can be within an encrypted channel (as in SSH password authentication when not using private-key authentication).
NTLM and MS-Kerberos authentication don't transmit passwords they transmit a hash of a password and the authenticating server takes it's copy of the user's password, constructs a hash using the same algorithm and compares the hash result with the hash presented by the client. Since /etc/passwd doesn't store passwords and uses a different hashing algorithm, /etc/passwd has insufficient information for authenticating NTLM/Kerberos clients.
Really old SMB authentication protocols pass the password (in plaintext, i.e. unprotected) and a SMB server can therefore compute a /etc/passwd type hash of this and compare it to the hash stored in /etc/passwd.

From the above it follows that you need a separate file to store passwords (smbpasswd) or a domain controller if you want to avoid plain text passwords transiting your LAN.

RedGrittyBrick

Posted 2012-10-01T10:00:27.460

Reputation: 70 632

To do what? To replace all use of /etc/passwd with the use of the password file managed by smbpasswd? – reinierpost – 2012-10-01T12:47:10.377

@reinerpost, I had in mind the opposite. Tell Samba to use /etc/passwd (via PAM). This seems a simpler proposition to me :-) The link in my answer points to Samba documentation, not to general Linux documentation. – RedGrittyBrick – 2012-10-01T13:35:31.677

I have tried to do that, but it seems to require the Windows client sending the password in cleartext (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667015) or a password synchronization mechanism that appears to work only in one direction (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2667199), both rather suboptimal workarounds in my view.

– reinierpost – 2012-10-01T13:41:11.203

@reinierpost: So far as I know, the most common solution for that set of requirements (encrypted credentials on wire, single point of user admin) is to authenticate through a Windows Domain Controller (or Samba acting as such). – RedGrittyBrick – 2012-10-01T13:50:46.743

That is also my impression, but it would be helpful to know for sure. Hence my question. – reinierpost – 2012-10-01T13:53:54.063

@reinierpost: There is little reason for sync to work in the other direction, since Windows does not support changing passwords over SMB if you're not in a domain (so a desync is next to impossible). – user1686 – 2012-10-01T15:50:03.970

Hm ... can I set up the box to be its own one-machine Windows domain without interfering with my organizations domain (on which this box, being a Linxu machine, is not allowed)? And to what extent can I get rid of /etc/passwd and /etc/shadow altogether? If I can use Samba passwords for everything (i.e. if all Ubuntu applications I use support PAM), that solution will be fine with me. – reinierpost – 2012-11-09T14:16:57.800

Would Winscp + public-key authentication be acceptable?

– RedGrittyBrick – 2012-11-09T15:10:29.087

@RedGrittyBrick; Not really. I'm looking for a way to avoid having to ask my colleagues to use some special software on the Windows side. They know how to do scp, that's not the issue. – reinierpost – 2012-11-18T16:21:42.503

how to share Linux user passwords and Samba passwords

Answers