Samba accounts
Locked
 
|
Hi!
A few days ago, I had a chat with someone on #ubuntu about Samba. He was wondering how to connect to samba on his Ubuntu box. He was used to running Gentoo, where he could just use his regular username and password. AFAICS that can be achieved in two ways: * Using unencrypted passwords * by integrating something like smbpasswd -L -a to adduser and the smbpasswd PAM module to the passwd PAM stack, we can automagically keep the samba user database in sync with the system one. Using unencrypted passwords is a really bad idea. If we want adduser to add a samba account we either need to rewrite adduser to call smbpasswd directly or add some sort of mechanism for calling hook scripts from adduser. The former would add a hard dependency on Samba which is less than elegant, while the latter method also would allow for other system specific stuff to happen upon account creation, like sending a welcome mail to the user or what- ever you want. Obviously the security implications need to be carefully reviewed as the hook scripts will be passed the password of the newly created user. Thoughts? -- | Soren Hansen | Linux2Go | http://Linux2Go.dk/ | | Seniorkonsulent | Lindholmsvej 42, 2. TH | +45 46 90 26 42 | | [hidden email] | 9400 Norresundby, Denmark | GPG key: E8BDA4E3 | -- ubuntu-devel mailing list [hidden email] http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
Re: Samba accounts
|
|
On Thursday 10 November 2005 07:12, [hidden email] wrote:
> Hi! > > A few days ago, I had a chat with someone on #ubuntu about Samba. > He was wondering how to connect to samba on his Ubuntu box. He was used > to running Gentoo, where he could just use his regular username and > password. AFAICS that can be achieved in two ways: > * Using unencrypted passwords > * by integrating something like smbpasswd -L -a to adduser and the > smbpasswd PAM module to the passwd PAM stack, we can automagically > keep the samba user database in sync with the system one. > > > Using unencrypted passwords is a really bad idea. > If we want adduser to add a samba account we either need to rewrite > adduser to call smbpasswd directly or add some sort of mechanism for > calling hook scripts from adduser. The former would add a hard > dependency on Samba which is less than elegant, while the latter > method also would allow for other system specific stuff to happen > upon account creation, like sending a welcome mail to the user or what- > ever you want. Obviously the security implications need to be carefully > reviewed as the hook scripts will be passed the password of the newly > created user. > > Thoughts? My first thought is that I don't want every user I add to my servers to have samba access, especially if they are a mail-only account, but I still have to give them a legit /home dir for their Maildir. -- | Ubuntu Linux | www.ubuntulinux.org | | Kubuntu | www.kubuntu.org -- ubuntu-devel mailing list [hidden email] http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
|
|
In reply to this post by Soren Hansen
[hidden email] wrote:
> Hi! > > A few days ago, I had a chat with someone on #ubuntu about Samba. > He was wondering how to connect to samba on his Ubuntu box. He was used > to running Gentoo, where he could just use his regular username and > password. AFAICS that can be achieved in two ways: > * Using unencrypted passwords > * by integrating something like smbpasswd -L -a to adduser and the > smbpasswd PAM module to the passwd PAM stack, we can automagically > keep the samba user database in sync with the system one. > > > Using unencrypted passwords is a really bad idea. > If we want adduser to add a samba account we either need to rewrite > adduser to call smbpasswd directly or add some sort of mechanism for > calling hook scripts from adduser. The former would add a hard > dependency on Samba which is less than elegant, while the latter > method also would allow for other system specific stuff to happen > upon account creation, like sending a welcome mail to the user or what- > ever you want. Obviously the security implications need to be carefully > reviewed as the hook scripts will be passed the password of the newly > created user. > > Thoughts? The most elegant way to do this always seemed to be libpam-smbpass. It is a PAM password module that stores the user's password in the smbpasswd file. So after installing it, the user changes his password and can then log in via Samba. See <http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2647348> for more information. -- Sam Morris http://robots.org.uk/ PGP key id 5EA01078 3412 EA18 1277 354B 991B C869 B219 7FDB 5EA0 1078 -- ubuntu-devel mailing list [hidden email] http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
|
|
On Thu, Nov 10, 2005 at 12:58:11PM +0000, Sam Morris wrote:
> The most elegant way to do this always seemed to be libpam-smbpass. It > is a PAM password module that stores the user's password in the > smbpasswd file. So after installing it, the user changes his password > and can then log in via Samba. Yes, that's what I suggested for keeping the passwords in sync, but that doesn't help when creating the user, does it? -- | Soren Hansen | Linux2Go | http://Linux2Go.dk/ | | Seniorkonsulent | Lindholmsvej 42, 2. TH | +45 46 90 26 42 | | [hidden email] | 9400 Norresundby, Denmark | GPG key: E8BDA4E3 | -- ubuntu-devel mailing list [hidden email] http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
|
|
[hidden email] wrote:
> On Thu, Nov 10, 2005 at 12:58:11PM +0000, Sam Morris wrote: > >>The most elegant way to do this always seemed to be libpam-smbpass. It >>is a PAM password module that stores the user's password in the >>smbpasswd file. So after installing it, the user changes his password >>and can then log in via Samba. > > > Yes, that's what I suggested for keeping the passwords in sync, but that > doesn't help when creating the user, does it? 'Creating the user' is synonymous with creating an entry for them in the smbpasswd file, surely? Which is done when they change their password or, with one of the examples from the samba documentation, when they log into any other service. -- Sam Morris http://robots.org.uk/ PGP key id 5EA01078 3412 EA18 1277 354B 991B C869 B219 7FDB 5EA0 1078 -- ubuntu-devel mailing list [hidden email] http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
|
|
On tor, 2005-11-10 at 15:54 +0000, Sam Morris wrote:
> >>The most elegant way to do this always seemed to be libpam-smbpass. It > >>is a PAM password module that stores the user's password in the > >>smbpasswd file. So after installing it, the user changes his password > >>and can then log in via Samba. > > Yes, that's what I suggested for keeping the passwords in sync, but that > > doesn't help when creating the user, does it? > 'Creating the user' is synonymous with creating an entry for them in the > smbpasswd file, surely? No, I was thinking more along the lines of creating the system user. That's what I wanted to trigger the creation of a corresponding Samba account. I think that would give Ubuntu one more of those "It Just Works(tm)" points. :-) I agree totally with using the PAM module for when changing the passwords. I believe I wrote that in my first mail on the subject. The issue that needs some work done before it'll work is the creation of the Samba accounts. Cheers, Søren. -- ubuntu-devel mailing list [hidden email] http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel |
«
Return to ubuntu-devel
|
1 view|%1 views
| Free forum by Nabble | Edit this page |