Using pam_smbpass
written by John Newbigin

pam_smbpass is a pam module which comes with samba which allows among others. the ability to keep a smbpasswd file in sync with the unix passwd file.

The advantages of this is that there is only one user administration task required and users can automatically use encrypted passwords when they use samba.

Currently, redhat's samba package does not include the required but you can easily grab the samba srpm and build it for your self.  The file can be found under the BUILD/sambaxxx/source/bin directory.

Using this module requires some changes to your pam configuration.  The first thing to do it remove execute permissions from authconf so it will not destroy your settings.

Next, edit (after making a backup) /etc/pam.d/system-auth so it looks like this:

# This file was edited by <Your Name>
# Do not run authconfig or it will break the smb password sync.
auth required /lib/security/
auth requisite /lib/security/ likeauth nullok
auth optional /lib/security/ migrate

account required /lib/security/

password required /lib/security/ retry=3 type=
password required /lib/security/ use_authtok try_first_pass migrate
password requisite /lib/security/ use_authtok md5 shadow try_first_pass

session required /lib/security/
session required /lib/security/

The first bold line will make pam_smbpass migrate the account when the user logs in for the first time.  The bold second line will make pam_smbpass update the users smbpassword when they change their password using passwd.

The only problem with this is setting passwords on new accounts.  The migration is only done on first login so when new users passwords are set, the password synchronisation fails.  The solution to this is to migrate on password setting as well.  This requires a small patch to smbpasswd.  

Patch against 2.2.1a here.

Patch against 2.2.8a here.

Patch against 3.0.10 here.

Last modified 20030716
Maintained by John Newbigin