Home arrow Site Administration arrow Page 4 - Handling User Accounts in Samba

Synchronizing Passwords - Administration

In this third part to a four-part series on handling authentication and authorization in Samba, you will learn about username maps, account utilities, and more. It is excerpted from chapter five of Using Samba, Third Edition, written by Gerald Carter, Jay Ts and Robert Eckstein (O'Reilly, 2007; ISBN: 0596007698). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. Handling User Accounts in Samba
  2. Username Maps
  3. Account Utilities
  4. Synchronizing Passwords
By: O'Reilly Media
Rating: starstarstarstarstar / 4
February 21, 2008

print this article



The complaint with Samba in regard to user accounts is that its user passwords must be maintained separately from the from the Unix or Linux system passwords. To help alleviate the pain of managing multiple passwords for each user, Samba provides a mechanism to synchronize the userís Unix password entry when a CIFS client requests that the LanMan and NT password hashes be changed. Of course, this solution does not help when the user changes the password by means other than the SMB/CIFS protocol, such as using the passwd command or writing to the passdb storage directly using pdbedit.

The only prerequisite of using this feature is for the root user to able to reset a userís password without knowing the old password. The reason for this requirement is that the client encrypts the new password with the old password hash as the key. The clear text of the old password is never sent. Password hashes are one-way, so there is no way to derive the clear text of the password from the old password hash.

It is extremely difficult to make generalities about Windows clients because there are so many different versions. In fact, Windows 9x/Me clients do send the clear text of the old password, in uppercase of course, when the the net.exe command is used to change a password. But this approach is hardly useful, because it is impossible to determine the case of the new password.

The smbd daemon currently supports three mechanisms for changing a userís Unix password:

  • Communicating with an external password program
  • Utilizing the PAM password change API
  • Requesting that the LDAP Directory service do the work on its behalf

The simplest option of the three, the ldap password sync option (sometimes called ldap passwd sync ), instructs smbd to send a ModifyPassword extended request to the directory service, which then updates the userPassword attribute on behalf of the user. This option currently works only when Samba is using the ldapsam passdb module and when the LDAP directory service is running a recent version of OpenLDAP. To enable password synchronization, with all these prerequisites in place, add ldap password sync = yes to the [global] section of smb.conf.

If you canít make use of this optimal solution, the next option is to enable the unix password sync option and then choose which of the first two mutually exclusive password change mechanisms you wish to use. Relying on an external program is the older method. In this case, you must define a value for the passwd program parameter and then specify a passwd chat conversation string.*

The chat value is a special string generally called an ďexpect stringĒ or ďchat stringĒ; it lists pairs of strings in which the first of each pair is the text that you expect the external program to output, and the second is the text that the external program expects the user to enter. With an expect string, an automated system can interact with a program that was designed for a human user. In this case, Samba is pretending to be the root user and is interacting with a password change program. The Samba expect string is case-insensitive and can contain wildcards ( * ) to eat a variable number of characters when evaluating the output from the program in the passwd program parameter. Remember that the passwd program executable is run as root, so be sure to pass the Unix user name ( %u ) as a command-line argument, or else you will be stuck just changing rootís credentials.

The following example works on most recent versions of Linux from Novell or Red Hat:

encrypt passwords = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n\

Deriving passwd chat values is not extremely difficult. This one was developed by examining the output from running /usr/bin/passwd from a shell prompt, as shown here:

  root# passwd lizard
Changing password for lizard.
  New Password:
  Reenter New Password:
  Password changed.

Notice that the expect string collapses the first line of output to a single * character.

The pam password change Boolean parameter replaces the invocation of an external command with a series of calls to the systemís PAM library. The passwd chat param eters plays the same role as before, providing a means by which smbd is able to interact with the PAM password change interface. This requires that the Samba PAM service has been correctly configured in either /etc/pam.conf or /etc/pam.d/samba. The following is a basic PAM password change stack that performs strengths checks on the new password, and finally hands it off to the pam_unix.so library to actually update the userís credentials:

  password required  pam_pwcheck.so  nullo k
  password required  pam_unix2.so    nullok use_first_pass use_authtok

Next, we can update the previous example to make use of the new PAM configura tion file:

encrypt passwords = yes
unix password sync = yes
pam password change = yes
passwd chat = *New*password* %n\n\

If desired, password strength checking can be performed using an external utility specified by the check password script parameter. This directive should point to a tool or script that accepts the new password as its single argument and returns 0 for valid passwords and a nonzero value if the strength check fails.

Table 5-13 summarizes all of the password synchronization options we have discussed in this section.

Table 5-13. Password synchronization parameters






check password script


Defines an external script that is used to verify the strength of a new password. The script must return 0 to indicate a valid password.



ldap password sync


If enabled, smbdsends a Modify Password extended operation (currently supported only by OpenLDAP servers) to request that the userís directory service password attribute be updated.



pam password change


Controls whether smbd uses PAM to change a userís Unix password.



passwd program


External program to change a userís Unix credentials.



passwd chat


An expect string that smbd uses to interact and evaluate the password change conversation.

*new*password* %n\n *new*password* %n\n *changed*


passwd chat debug


Samba dumps the passwd chatconversa-tion to its logfiles when this option is enabled, the DEBUG_PASSWORDmacro was enabled at compile time, and the debug level is set to 100 or greater.



passwd chat timeout


The maximum number of seconds that smbd should wait for a passwdchatto complete.



unix password sync


Defines whether Samba should attempt to synchronize a userís Unix password upon receiving a password change request from a CIFS client.



Please check back next week for the continuation of this article.

>>> More Site Administration Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup

Developer Shed Affiliates


Dev Shed Tutorial Topics: