FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 11-02-2011, 08:40 AM
David Jansen
 
Default Use of pam_exec or pam_smbpass

I'm trying to implement a custom password scheme through pam and samba.
Basically, if a user wants to change their password on a client, the
change has to be propagated to the samba server so it can also set the
windows password. It works fine to tell users to use 'smbpasswd -r
samba.mydomain', or to make passwd an alias that does that, but it would
be better to make the change go through PAM so it will work from the GUI
as well.
Now, I found 2 ways to do this: pam_smbpass and pam_exec, but with both,
I seem to be hitting a stone wall.

pam_smbpass:
On a machine that has a full smb.conf with all the LDAP connections etc
(including ldap bind credentials in secrets.tbd), something like
password required pam_smbpass.so nullok use_authtok try_first_pass
in the appropriate /etc/pam.d files seems to do the trick. However, I
don't really want to make every desktop a full member of the domain.
So, it would be nice if there was a way to make pam_smbpass connect to a
remote samba server, but I haven't been able to find one. Any help in
this area would be appreciated.

pam_exec:
The man page states 'All module types (auth, account, password and
session) are provided.' So it should be possible to write a script or
prtogram to handle a pam password call, right? But, the script I wrote
doesn't seem to receive the old or new password. And re-reading the
documentation, I notice that nothing is mentioned about passing a
password to the module anywhere, except on authentication, when
expose_authtok will do that (then the password will be passed through
stdin). But nothing like that when called for a password change.
Again, what did I miss? Is the password module type not fully
implemented, or should this be handles in another way?

(OS: Fedora 15, RHEL 6, both same situation)

David Jansen

PS: I know a 3rd option would be to switch everything over to winbind,
which may or may not work in our complex situation with various Windows
domains with trusts. The point is: everything else works, except for a
consistent password change method, so before we decide to redesign the
whole setup, we want to be absolutely sure that there isn't something
simple we are overlooking.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-02-2011, 12:53 PM
Kevin Martin
 
Default Use of pam_exec or pam_smbpass

On 11/02/2011 04:40 AM, David Jansen wrote:
> I'm trying to implement a custom password scheme through pam and samba.
> Basically, if a user wants to change their password on a client, the
> change has to be propagated to the samba server so it can also set the
> windows password. It works fine to tell users to use 'smbpasswd -r
> samba.mydomain', or to make passwd an alias that does that, but it would
> be better to make the change go through PAM so it will work from the GUI
> as well.
> Now, I found 2 ways to do this: pam_smbpass and pam_exec, but with both,
> I seem to be hitting a stone wall.
>
> pam_smbpass:
> On a machine that has a full smb.conf with all the LDAP connections etc
> (including ldap bind credentials in secrets.tbd), something like
> password required pam_smbpass.so nullok use_authtok try_first_pass
> in the appropriate /etc/pam.d files seems to do the trick. However, I
> don't really want to make every desktop a full member of the domain.
> So, it would be nice if there was a way to make pam_smbpass connect to a
> remote samba server, but I haven't been able to find one. Any help in
> this area would be appreciated.
>
> pam_exec:
> The man page states 'All module types (auth, account, password and
> session) are provided.' So it should be possible to write a script or
> prtogram to handle a pam password call, right? But, the script I wrote
> doesn't seem to receive the old or new password. And re-reading the
> documentation, I notice that nothing is mentioned about passing a
> password to the module anywhere, except on authentication, when
> expose_authtok will do that (then the password will be passed through
> stdin). But nothing like that when called for a password change.
> Again, what did I miss? Is the password module type not fully
> implemented, or should this be handles in another way?
>
> (OS: Fedora 15, RHEL 6, both same situation)
>
> David Jansen
>
> PS: I know a 3rd option would be to switch everything over to winbind,
> which may or may not work in our complex situation with various Windows
> domains with trusts. The point is: everything else works, except for a
> consistent password change method, so before we decide to redesign the
> whole setup, we want to be absolutely sure that there isn't something
> simple we are overlooking.
What's the GUI? Couldn't you do this thru a webpage and just have the webserver take the appropriate information and then pass that
to your backend application? Then, only the webserver needs to be part and parcel in the SMB domain and you could use your
pam_smbpass solution.

Kevin
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 11-02-2011, 01:44 PM
David Jansen
 
Default Use of pam_exec or pam_smbpass

> What's the GUI? Couldn't you do this thru a webpage and just have the
> webserver take the appropriate information and then pass that
> to your backend application? Then, only the webserver needs to be
> part and parcel in the SMB domain and you could use your
> pam_smbpass solution.

I meant the locations that allow changing a password, like in the Gnome
preferences. I want to avoid the situation, where a user sees a password
change option somewhere, that seems to work (it changes the Linux
password), but causes problems later (Windows or Radius doesn't use the
new password).
That's why I hope to solve this on the PAM level somehow, so all
programs that change passwords, will work completely. Telling the users
to change their password on some web page, is not really an improvement
over aliasing 'passwd' to the command needed to change the password, and
telling them to only use that command, and not any other interface that
offers to change a password.

David Jansen

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 06:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org