Hello,
I have a small computer lab running Samba, OpenLDAP, and NFS on a mixed RH9 and W2K network.

I have one central server that does authentication, LDAP administration, and Samba shares. There is another server doing dedicated file shares, but it is not important right now.

I have everything configured to allow the Windows users to change their password and it updates both the windows and Linux password fields in the LDAP database. On the LDAP server itself, I have PAM configured to allow the passwd program to change both the samba and linux passwords together.

However, on my client Linux machines, I have not been able to get this working. It can change the Linux password properly, but not the Samba one. This is due to Winbind pam module not being able to interface properly with a Samba server (but it can with a Win2k server).

So, I'm left with forcing my users to change their passwords on the server.

What I would like to do, though, is have the passwd "program" on the client machines somehow log into the server as the user, then run the passwd program there. Hopefully, it would be transparent to the users.

I seem to remember ssh or stunnel being able to do something like that, but I am by no means an expert on this. Any help or direction is appreciated.

thanks,
ac

Okay, I solved one quesiton already, but it made another problem:

ssh <host> [command] allowed me to execute the passwd command on the server with no problems.

e.g. user@client > ssh server passwd

However, the Old/New password prompts were echoing the password on the screen?!? Huh?

Somehow the ssh running the command automatically echoes the text to the screen. Any reason why this happens or ways to avoid it?

All help is appreciated.

a

are you using both the samba and NIS schemas in your LDAP server?

Yes, I'm using both. Took some debugging, but all seems to be functioning well.

I figured out the problem, the command should read:

ssh -t server passwd

the -t option forces a pseudo-tty for passwd to run under, which obeys the text-masking while the user types the old and new passwords.

Now to link passwd to that command and disable the actual passwd program on the clients.

a

Originally posted by arc2v
However, on my client Linux machines, I have not been able to get this working. It can change the Linux password properly, but not the Samba one. This is due to Winbind pam module not being able to interface properly with a Samba server (but it can with a Win2k server).

Have you been on the samba mailing list and asked about this? I take it smbldap-passwd.pl is failing cause of this issue.

I was on the samba mailing list a long time ago, but unsubscribed due to a lot more e-mails than I could ever hope to read :)

smbldap-passwd works fine (as root) and I got the unix pam module working fine on the server. Using the passwd command on the server sets both the ldap (unix) and samba password (pam_smbpass) fine.

Setting the password through windows works fine. The problems is when the linux password expires, it forces the change, which works for LDAP, but not for Samba (since the client linux machines cannot bind to the samba server).

the -t option on ssh fixes it, my script looks like this:

#!/bin/sh
ssh -t <server> passwd

# End

This is saved as /usr/bin/passwd (with the original binary changed to passwd.orig. So if a user executes the passwd command, it redirects them to the server to run the passwd command there, ensuring they sync up.

I however have had more problems than just this: now the problem is that windows does not enforce complexity (cracklib), but Linux through LDAP does not enfore password history. For some reason, opasswd does not work when the user database in in LDAP (it never writes the old passwords to the file, since the user is not local).

The newer versions of Samba allow for password history just fine, but the user could just add a 1 to their login and it would accept it just fine.

So I'm one step away now from seamless password integration. Either samba has to add cracklib (which they are working on, but apparetnly does not work), or pam_unix/pam_ldap needs to work with ldap and opasswd.

But we've made it this far, so I'm sure I'll find a solution somewhere.

Thanks for all the inputs,
a