Use of pam_exec or pam_smbpass

Kevin Martin kevintm at ameritech.net
Wed Nov 2 13:53:58 UTC 2011



On 11/02/2011 04:40 AM, David Jansen wrote:
> I'm trying to implement a custom password scheme through pam and samba.
> Basically, if a user wants to change their password on a client, the
> change has to be propagated to the samba server so it can also set the
> windows password. It works fine to tell users to use 'smbpasswd -r
> samba.mydomain', or to make passwd an alias that does that, but it would
> be better to make the change go through PAM so it will work from the GUI
> as well.
> Now, I found 2 ways to do this: pam_smbpass and pam_exec, but with both,
> I seem to be hitting a stone wall.
>
> pam_smbpass: 
> On a machine that has a full smb.conf with all the LDAP connections etc
> (including ldap bind credentials in secrets.tbd), something like 
> password   required   pam_smbpass.so nullok use_authtok try_first_pass
> in the appropriate /etc/pam.d files seems to do the trick. However, I
> don't really want to make every desktop a full member of the domain.
> So, it would be nice if there was a way to make pam_smbpass connect to a
> remote samba server, but I haven't been able to find one. Any help in
> this area would be appreciated.
>
> pam_exec:
> The man page states 'All module types (auth, account, password and
> session) are provided.' So it should be possible to write a script or
> prtogram to handle a pam password call, right? But, the script I wrote
> doesn't seem to receive the old or new password. And re-reading the
> documentation, I notice that nothing is mentioned about passing a
> password to the module anywhere, except on authentication, when
> expose_authtok will do that (then the password will be passed through
> stdin). But nothing like that when called for a password change.
> Again, what did I miss? Is the password module type not fully
> implemented, or should this be handles in another way?
>
> (OS: Fedora 15, RHEL 6, both same situation) 
>
> David Jansen
>
> PS: I know a 3rd option would be to switch everything over to winbind,
> which may or may not work in our complex situation with various Windows
> domains with trusts. The point is: everything else works, except for a
> consistent password change method, so before we decide to redesign the
> whole setup, we want to be absolutely sure that there isn't something
> simple we are overlooking.
What's the GUI?  Couldn't you do this thru a webpage and just have the webserver take the appropriate information and then pass that
to your backend application?  Then, only the webserver needs to be part and parcel in the SMB domain and you could use your
pam_smbpass solution.

Kevin


More information about the users mailing list