I'm trying to implement a custom password scheme through pam and samba. Basically, if a user wants to change their password on a client, the change has to be propagated to the samba server so it can also set the windows password. It works fine to tell users to use 'smbpasswd -r samba.mydomain', or to make passwd an alias that does that, but it would be better to make the change go through PAM so it will work from the GUI as well. Now, I found 2 ways to do this: pam_smbpass and pam_exec, but with both, I seem to be hitting a stone wall.
pam_smbpass: On a machine that has a full smb.conf with all the LDAP connections etc (including ldap bind credentials in secrets.tbd), something like password required pam_smbpass.so nullok use_authtok try_first_pass in the appropriate /etc/pam.d files seems to do the trick. However, I don't really want to make every desktop a full member of the domain. So, it would be nice if there was a way to make pam_smbpass connect to a remote samba server, but I haven't been able to find one. Any help in this area would be appreciated.
pam_exec: The man page states 'All module types (auth, account, password and session) are provided.' So it should be possible to write a script or prtogram to handle a pam password call, right? But, the script I wrote doesn't seem to receive the old or new password. And re-reading the documentation, I notice that nothing is mentioned about passing a password to the module anywhere, except on authentication, when expose_authtok will do that (then the password will be passed through stdin). But nothing like that when called for a password change. Again, what did I miss? Is the password module type not fully implemented, or should this be handles in another way?
(OS: Fedora 15, RHEL 6, both same situation)
David Jansen
PS: I know a 3rd option would be to switch everything over to winbind, which may or may not work in our complex situation with various Windows domains with trusts. The point is: everything else works, except for a consistent password change method, so before we decide to redesign the whole setup, we want to be absolutely sure that there isn't something simple we are overlooking.
On 11/02/2011 04:40 AM, David Jansen wrote:
I'm trying to implement a custom password scheme through pam and samba. Basically, if a user wants to change their password on a client, the change has to be propagated to the samba server so it can also set the windows password. It works fine to tell users to use 'smbpasswd -r samba.mydomain', or to make passwd an alias that does that, but it would be better to make the change go through PAM so it will work from the GUI as well. Now, I found 2 ways to do this: pam_smbpass and pam_exec, but with both, I seem to be hitting a stone wall.
pam_smbpass: On a machine that has a full smb.conf with all the LDAP connections etc (including ldap bind credentials in secrets.tbd), something like password required pam_smbpass.so nullok use_authtok try_first_pass in the appropriate /etc/pam.d files seems to do the trick. However, I don't really want to make every desktop a full member of the domain. So, it would be nice if there was a way to make pam_smbpass connect to a remote samba server, but I haven't been able to find one. Any help in this area would be appreciated.
pam_exec: The man page states 'All module types (auth, account, password and session) are provided.' So it should be possible to write a script or prtogram to handle a pam password call, right? But, the script I wrote doesn't seem to receive the old or new password. And re-reading the documentation, I notice that nothing is mentioned about passing a password to the module anywhere, except on authentication, when expose_authtok will do that (then the password will be passed through stdin). But nothing like that when called for a password change. Again, what did I miss? Is the password module type not fully implemented, or should this be handles in another way?
(OS: Fedora 15, RHEL 6, both same situation)
David Jansen
PS: I know a 3rd option would be to switch everything over to winbind, which may or may not work in our complex situation with various Windows domains with trusts. The point is: everything else works, except for a consistent password change method, so before we decide to redesign the whole setup, we want to be absolutely sure that there isn't something simple we are overlooking.
What's the GUI? Couldn't you do this thru a webpage and just have the webserver take the appropriate information and then pass that to your backend application? Then, only the webserver needs to be part and parcel in the SMB domain and you could use your pam_smbpass solution.
Kevin
-
David Jansen -
Kevin Martin