Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Samba4 password sync on Gentoo?
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message

Joined: 03 Oct 2014
Posts: 1497
Location: Fayetteville, NC, USA

PostPosted: Tue Jun 28, 2016 3:27 pm    Post subject: Samba4 password sync on Gentoo? Reply with quote

I cannot seem to get Samba password sync working. I can manually create users and passwords, but I am not sure how to sync them in Samba 4. I believe my problem is changing the password since it asks for the current password, then new one twice. I am running 4.2.11 from Gentoo. Flags set are ads, aio, client, quota, winbind and it is in standalone (no domain) mode.

workgroup = RTFP
realm = RTFP
server string = %h Workstation
server role = standalone server
security = user
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = ???
log file = /var/log/samba/log.%m
max log size = 50
dns proxy = No
idmap config * : backend = tdb

comment = Shared Documents
path = /home/shared
valid users = @users
force user = root
force group = users
read only = No
create mode = 0660
directory mode = 0770

The share works as expected, so all is good there. I just need to know how to keep my passwords synced. I have several systems in a workgroup environment with multiple users and it gets chaotic changing this stuff manually frequently.
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message

Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Wed Jun 29, 2016 1:47 am    Post subject: Check your pam setup Reply with quote

This can get involved depending on what you are doing with your samba setup. Our standard model at work is to have a winders server set up as an AD domain controller. It looks like you have Linux doing the honors here so you are going to have to do things a bit differently from my model of using Winbind to do the password chores:

This is an example pam system-auth-ac for centos6.x which I also force in place of the password-auth-ac that RedHat likes using. For Gentoo you will be hacking up your /etc/pam.d/system-auth file:

auth        required
auth       required preauth silent deny=3 unlock_time=3600 fail_interval=900 root_unlock_time=600 audit
auth       required inactive=90
auth        sufficient try_first_pass
auth       [default=die] authfail deny=3 unlock_time=3600 fail_interval=900 root_unlock_time=600 audit
auth        requisite uid >= 500 quiet
auth        sufficient use_first_pass
auth        required

account     required
account       required
account     required broken_shadow
account     sufficient
account     sufficient uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3 type= difok=1 minlen=14 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=-1
password    sufficient sha512 shadow try_first_pass use_authtok remember=24
password    sufficient use_authtok
password    required

session     optional revoke
session     required
session     optional umask=0077
session     [success=1 default=ignore] service in crond quiet use_uid
session       [default=1] nowtmp showfailed
session       optional silent noupdate showfailed
session     required

To handle sync on the password change look at the items in the password stack above. I hit pam_cracklib first to do the whole prompting of new password and then applying the complexity tests that are needed to satisfy the "suits", in this case, US govt standards for classified IS systems which require a minimum of 14 chars, and at least one of each class of char (upper, lower, digit and "other"). The standard also now requires that the password be different from the 24 previously used passwords that the user had set, thus the "remember=24" on the pam_unix module. pam_winbind takes the password returned from pam_cracklib and throws it over the wall to the Windows Active Directory DC and thus accomplishes the transparent synching of passwords that we want with the whole single sign-on concept.

/etc/nsswitch.conf also needs to have winbind set up in it for the searching of local and then of AD users and passwords such as:

passwd:     files winbind
shadow:     files winbind
group:      files winbind

So going back to what you need to do for synching up the smbpasswd database, you will probably be using pam_smbpass. Doing a quick google on it yields something from our bsd friends among other things:

I suspect you will end up with something like this in your system-auth in place of the stanza above:

password    sufficient use_authtok migrate
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum