Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Samba4 password sync on Gentoo?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
The_Great_Sephiroth
Veteran
Veteran


Joined: 03 Oct 2014
Posts: 1343
Location: Fayetteville, NC, USA

PostPosted: Tue Jun 28, 2016 3:27 pm    Post subject: Samba4 password sync on Gentoo? Reply with quote

I cannot seem to get Samba password sync working. I can manually create users and passwords, but I am not sure how to sync them in Samba 4. I believe my problem is changing the password since it asks for the current password, then new one twice. I am running 4.2.11 from Gentoo. Flags set are ads, aio, client, quota, winbind and it is in standalone (no domain) mode.
Code:

[global]
workgroup = RTFP
realm = RTFP
server string = %h Workstation
server role = standalone server
security = user
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = ???
log file = /var/log/samba/log.%m
max log size = 50
dns proxy = No
idmap config * : backend = tdb

[Shared]
comment = Shared Documents
path = /home/shared
valid users = @users
force user = root
force group = users
read only = No
create mode = 0660
directory mode = 0770

The share works as expected, so all is good there. I just need to know how to keep my passwords synced. I have several systems in a workgroup environment with multiple users and it gets chaotic changing this stuff manually frequently.
_________________
Ever picture systemd as what runs "The Borg"?
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs

PostPosted: Wed Jun 29, 2016 1:47 am    Post subject: Check your pam setup Reply with quote

This can get involved depending on what you are doing with your samba setup. Our standard model at work is to have a winders server set up as an AD domain controller. It looks like you have Linux doing the honors here so you are going to have to do things a bit differently from my model of using Winbind to do the password chores:

This is an example pam system-auth-ac for centos6.x which I also force in place of the password-auth-ac that RedHat likes using. For Gentoo you will be hacking up your /etc/pam.d/system-auth file:

Code:
auth        required      pam_env.so
auth       required     pam_faillock.so preauth silent deny=3 unlock_time=3600 fail_interval=900 root_unlock_time=600 audit
auth       required     pam_lastlog.so inactive=90
auth        sufficient    pam_unix.so try_first_pass
auth       [default=die] pam_faillock.so authfail deny=3 unlock_time=3600 fail_interval=900 root_unlock_time=600 audit
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account       required     pam_faillock.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type= difok=1 minlen=14 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=-1
password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember=24
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session       [default=1]   pam_lastlog.so nowtmp showfailed
session       optional     pam_lastlog.so silent noupdate showfailed
session     required      pam_unix.so


To handle sync on the password change look at the items in the password stack above. I hit pam_cracklib first to do the whole prompting of new password and then applying the complexity tests that are needed to satisfy the "suits", in this case, US govt standards for classified IS systems which require a minimum of 14 chars, and at least one of each class of char (upper, lower, digit and "other"). The standard also now requires that the password be different from the 24 previously used passwords that the user had set, thus the "remember=24" on the pam_unix module. pam_winbind takes the password returned from pam_cracklib and throws it over the wall to the Windows Active Directory DC and thus accomplishes the transparent synching of passwords that we want with the whole single sign-on concept.

/etc/nsswitch.conf also needs to have winbind set up in it for the searching of local and then of AD users and passwords such as:

Code:
passwd:     files winbind
shadow:     files winbind
group:      files winbind




So going back to what you need to do for synching up the smbpasswd database, you will probably be using pam_smbpass. Doing a quick google on it yields something from our bsd friends among other things:

https://forums.freebsd.org/threads/49581/

I suspect you will end up with something like this in your system-auth in place of the pam_winbind.so stanza above:

Code:
password    sufficient    pam_smbpass.so use_authtok migrate
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum