| View previous topic :: View next topic |
| Author |
Message |
The_Great_Sephiroth
Veteran
Joined: 03 Oct 2014
Posts: 1606
Location: Fayetteville, NC, USA
|
 Posted: Tue Jun 28, 2016 3:27 pm Post subject: Samba4 password sync on Gentoo? |
 |
|
I cannot seem to get Samba password sync working. I can manually create users and passwords, but I am not sure how to sync them in Samba 4. I believe my problem is changing the password since it asks for the current password, then new one twice. I am running 4.2.11 from Gentoo. Flags set are ads, aio, client, quota, winbind and it is in standalone (no domain) mode.
| Code: |
[global]
workgroup = RTFP
realm = RTFP
server string = %h Workstation
server role = standalone server
security = user
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = ???
log file = /var/log/samba/log.%m
max log size = 50
dns proxy = No
idmap config * : backend = tdb
[Shared]
comment = Shared Documents
path = /home/shared
valid users = @users
force user = root
force group = users
read only = No
create mode = 0660
directory mode = 0770
|
The share works as expected, so all is good there. I just need to know how to keep my passwords synced. I have several systems in a workgroup environment with multiple users and it gets chaotic changing this stuff manually frequently.
_________________
Ever picture systemd as what runs "The Borg"? |
|
| Back to top |
|
 |
vaxbrat
l33t
Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
|
| Posted: Wed Jun 29, 2016 1:47 am Post subject: Check your pam setup |
|
|
This can get involved depending on what you are doing with your samba setup. Our standard model at work is to have a winders server set up as an AD domain controller. It looks like you have Linux doing the honors here so you are going to have to do things a bit differently from my model of using Winbind to do the password chores:
This is an example pam system-auth-ac for centos6.x which I also force in place of the password-auth-ac that RedHat likes using. For Gentoo you will be hacking up your /etc/pam.d/system-auth file:
| Code: | auth required pam_env.so
auth required pam_faillock.so preauth silent deny=3 unlock_time=3600 fail_interval=900 root_unlock_time=600 audit
auth required pam_lastlog.so inactive=90
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail deny=3 unlock_time=3600 fail_interval=900 root_unlock_time=600 audit
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_faillock.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= difok=1 minlen=14 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=-1
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=24
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed
session required pam_unix.so |
To handle sync on the password change look at the items in the password stack above. I hit pam_cracklib first to do the whole prompting of new password and then applying the complexity tests that are needed to satisfy the "suits", in this case, US govt standards for classified IS systems which require a minimum of 14 chars, and at least one of each class of char (upper, lower, digit and "other"). The standard also now requires that the password be different from the 24 previously used passwords that the user had set, thus the "remember=24" on the pam_unix module. pam_winbind takes the password returned from pam_cracklib and throws it over the wall to the Windows Active Directory DC and thus accomplishes the transparent synching of passwords that we want with the whole single sign-on concept.
/etc/nsswitch.conf also needs to have winbind set up in it for the searching of local and then of AD users and passwords such as:
| Code: | passwd: files winbind
shadow: files winbind
group: files winbind |
So going back to what you need to do for synching up the smbpasswd database, you will probably be using pam_smbpass. Doing a quick google on it yields something from our bsd friends among other things:
https://forums.freebsd.org/threads/49581/
I suspect you will end up with something like this in your system-auth in place of the pam_winbind.so stanza above:
| Code: | | password sufficient pam_smbpass.so use_authtok migrate |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
