Unix and Samba password sync on Debian Etch

Update (October 15th, 2009): Mark Nellemann confirms this also works on Lenny.

Assumptions

• All users of the system are happy with using their Unix passwords for Samba,
• all Unix users will have a Samba account with the same username,
• Unix and/or Samba accounts might already exist, possibly with non-matching passwords.

Prerequisites

Install the following packages, if you do not already have them installed:

# apt-get install libpam-smbpass smbclient

Unix -> Samba

In order to update the Samba password whenever a user changes their Unix password, change

/etc/pam.d/common-password: from

password   required   pam_unix.so nullok obscure min=4 max=8 md5

to

password   requisite**  pam_unix.so nullok obscure min=4 max=8 md5
password   required   pam_smbpass.so nullok use_authtok try_first_pass

Changing "required" to "requisite" for pam_unix will make sure that if Unix password change fails, the execution of plugins ends immediately.

In order for this to work, users must already have Samba accounts, and their Samba passwords must match their Unix passwords. Because this is not necessarily the case, we must change

/etc/pam.d/common-auth: from

auth    required        pam_unix.so nullok_secure

to

auth    requisite       pam_unix.so nullok_secure
auth    optional        pam_smbpass.so migrate

This will create a Samba user, if it doesn't already exist, and change it's password to the Unix password, whenever the user logs in using SSH or any other service that uses default system (common-auth) authentication.

You should see a message Added user <username> when logging in using SSH with an account that doesn't already have a Samba account.

Because this will also create a Samba account for root, you might want to disable root access in Samba (Debian Etch has it disabled by default):

/etc/samba/smb.conf:

invalid users = root

Caveat: This will not work if the user logs in via SSH or other services without using a password (for example by using public/private key authentication). In this case, PAM won't have the plain-text password, which is needed to create the Samba password.

Notice: When you modify common-password to also require Samba passwords updates, any currently logged in users will not be able to change their password using "passwd" until they re-login, unless they already have an existing Samba account with a password equal to their Unix password.

Samba -> Unix

While synchronization in this direction isn't necessary if your user's won't be changing their Samba passwords directly using smbpasswd, it is nice to enable it just to prevent any mistakes which would break the above configuration.

We instruct Samba to use PAM when changing passwords:

/etc/samba/smb.conf:

unix password sync = yes
pam password change = yes

Restart Samba using /etc/init.d/samba restart.

Configure PAM to support changing of password by Samba by adding @include common-password:

/etc/pam.d/samba:

@include common-auth
@include common-account
@include common-session
@include common-password

This will use the same mechanism to change passwords when using Samba as when using "passwd". This means it will require an update of the Unix password before attempting to change the Samba password.

Creating new users

If you attempt to create a new Unix user and set their password using passwd, you will get:

# passwd test
passwd: User not known to the underlying authentication module
passwd: password unchanged

This is because the user does not have a Samba account yet. To avoid using PAM and set the Unix password directly, use chpasswd:

# useradd test
# echo “test:newpass” | chpasswd

If you know of a way around this, let me know.

Testing

You can check if a given Samba password is correct by using:

$ smbclient -L localhost -U username

To test everything:

• Create a new Unix user, use a user without a Samba account, or delete the user's samba account using smbpasswd -x <username> (as root),
• login as the user using SSH. You should see a message: "Added user <username>" at the very beginning of the output. Test Samba account using the user's Unix (and now also Samba) password,
• change user's Unix password using passwd and test Samba account again with the new password, to see if changes are reflected there,
• change the Samba password using smbpasswd and check both Samba account and try to log in using SSH and the new password,
• change user's Samba password to something else, as root, using smbpasswd <useranme>,
• you should not be able to change your account's password as a normal user at this point, using either passwd or smbpasswd. This is an incorrect state, but it should be fixed automatically the next time the user logs in,
• login using SSH and your Unix password again. Try connecting to Samba again, to see whether the password was synced correctly at login time.

If everything works, congratulations.

More info

• Samba How-To: Chapter 28. PAM-Based Distributed Authentication

Copyright © 2007-2010 Jaka Jančar. Some rights reserved.

Written in Markdown and compiled with nanoc. Usually valid HTML5 and CSS 2.1.

General

• Home
• About
• Contact
• Info Dump

Projects

• Mobitel Monitor
• Dropbox Uploader
• more »

Elsewhere

• Facebook
• Flickr
• Stack Overflow