[sork] Changing passwords to several backends

Christopher Huyler chris at huyler.net
Wed Mar 31 18:57:30 PST 2004 

> Is it possible to change the password to several backends at once? I want 
> my users to have the same password everywhere (so it looks like everything

> is in a central place, even though that's not exactly true).
>
> So what I need is the password module to update both the system userbase 
> and samba's, at the same time and (obviously) prompting the user for their
> new password just once.

Have you looked into using pam_smb to centralize all your passwords?  

http://www.skynet.ie/~airlied/pam_smb/ 

I have my Solaris box set up as a Samba PDC where the passwords are stored
in an encrypted smbpasswd file.  This would also work if you had a Win2K PDC
or whatever.  I then installed pam_smb_auth.so and configured pam.conf to
check both unix and smb passwords.  Most common programs (telnet, ftp) come
with PAM support built in but other programs (such as uw-imap) need to be
recompiled.  When changing passwords, I always use smbpasswd unless I'm
changing the root password.  When users change their password from a windows
machine, it will effect how they login through imap, ftp or telnet also.
Once it is setup, you use the smbpasswd driver for sork passwd.

Here's an example of how to setup pam.conf on Solaris 8.  pam_smb_auth.so
must be the last entry, and pam_unix_auth.so must be changed to
sufficient...

login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_dial_auth.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_smb_auth.so use_first_pass debug

At work everyone has a Windows domain account.  We have tons of UNIX test
machines and I'm always forgetting my password.  I've been using this
technique to make the machines part of the Windows domain so myself and my
co-workers only have to remember one password.  We have to change the
password once a month.  Because the password is stored on the PDC and not
any of the local machines, changing one password changes it everywhere.

~ Chris

More information about the sork mailing list