Use of pam_exec or pam_smbpass

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm trying to implement a custom password scheme through pam and samba.
Basically, if a user wants to change their password on a client, the
change has to be propagated to the samba server so it can also set the
windows password. It works fine to tell users to use 'smbpasswd -r
samba.mydomain', or to make passwd an alias that does that, but it would
be better to make the change go through PAM so it will work from the GUI
as well.
Now, I found 2 ways to do this: pam_smbpass and pam_exec, but with both,
I seem to be hitting a stone wall.

pam_smbpass: 
On a machine that has a full smb.conf with all the LDAP connections etc
(including ldap bind credentials in secrets.tbd), something like 
password   required   pam_smbpass.so nullok use_authtok try_first_pass
in the appropriate /etc/pam.d files seems to do the trick. However, I
don't really want to make every desktop a full member of the domain.
So, it would be nice if there was a way to make pam_smbpass connect to a
remote samba server, but I haven't been able to find one. Any help in
this area would be appreciated.

pam_exec:
The man page states 'All module types (auth, account, password and
session) are provided.' So it should be possible to write a script or
prtogram to handle a pam password call, right? But, the script I wrote
doesn't seem to receive the old or new password. And re-reading the
documentation, I notice that nothing is mentioned about passing a
password to the module anywhere, except on authentication, when
expose_authtok will do that (then the password will be passed through
stdin). But nothing like that when called for a password change.
Again, what did I miss? Is the password module type not fully
implemented, or should this be handles in another way?

(OS: Fedora 15, RHEL 6, both same situation) 

David Jansen

PS: I know a 3rd option would be to switch everything over to winbind,
which may or may not work in our complex situation with various Windows
domains with trusts. The point is: everything else works, except for a
consistent password change method, so before we decide to redesign the
whole setup, we want to be absolutely sure that there isn't something
simple we are overlooking.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux