Samba accounts

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba accounts

Soren Hansen
Hi!

A few days ago, I had a chat with someone on #ubuntu about Samba.
He was wondering how to connect to samba on his Ubuntu box. He was used
to running Gentoo, where he could just use his regular username and
password. AFAICS that can be achieved in two ways:
 * Using unencrypted passwords
 * by integrating something like smbpasswd -L -a to adduser and the
   smbpasswd PAM module to the passwd PAM stack, we can automagically
   keep the samba user database in sync with the system one.  


Using unencrypted passwords is a really bad idea.
If we want adduser to add a samba account we either need to rewrite
adduser to call smbpasswd directly or add some sort of mechanism for
calling hook scripts from adduser. The former would add a hard
dependency on Samba which is less than elegant, while the latter
method also would allow for other system specific stuff to happen
upon account creation, like sending a welcome mail to the user or what-
ever you want. Obviously the security implications need to be carefully
reviewed as the hook scripts will be passed the password of the newly
created user.

Thoughts?

--
| Soren Hansen    | Linux2Go                  | http://Linux2Go.dk/ |
| Seniorkonsulent | Lindholmsvej 42, 2. TH    | +45 46 90 26 42     |
| [hidden email]  | 9400 Norresundby, Denmark | GPG key: E8BDA4E3   |

--
ubuntu-devel mailing list
[hidden email]
http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Samba accounts

Bugzilla from jason@jeetkunedomaster.net
On Thursday 10 November 2005 07:12, [hidden email] wrote:

> Hi!
>
> A few days ago, I had a chat with someone on #ubuntu about Samba.
> He was wondering how to connect to samba on his Ubuntu box. He was used
> to running Gentoo, where he could just use his regular username and
> password. AFAICS that can be achieved in two ways:
>  * Using unencrypted passwords
>  * by integrating something like smbpasswd -L -a to adduser and the
>    smbpasswd PAM module to the passwd PAM stack, we can automagically
>    keep the samba user database in sync with the system one.  
>
>
> Using unencrypted passwords is a really bad idea.
> If we want adduser to add a samba account we either need to rewrite
> adduser to call smbpasswd directly or add some sort of mechanism for
> calling hook scripts from adduser. The former would add a hard
> dependency on Samba which is less than elegant, while the latter
> method also would allow for other system specific stuff to happen
> upon account creation, like sending a welcome mail to the user or what-
> ever you want. Obviously the security implications need to be carefully
> reviewed as the hook scripts will be passed the password of the newly
> created user.
>
> Thoughts?

My first thought is that I don't want every user I add to my servers to have
samba access, especially if they are a mail-only account, but I still have to
give them a legit /home dir for their Maildir.

--
| Ubuntu Linux
| www.ubuntulinux.org
|
| Kubuntu
| www.kubuntu.org

--
ubuntu-devel mailing list
[hidden email]
http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Samba accounts

Sam Morris
In reply to this post by Soren Hansen
[hidden email] wrote:

> Hi!
>
> A few days ago, I had a chat with someone on #ubuntu about Samba.
> He was wondering how to connect to samba on his Ubuntu box. He was used
> to running Gentoo, where he could just use his regular username and
> password. AFAICS that can be achieved in two ways:
>  * Using unencrypted passwords
>  * by integrating something like smbpasswd -L -a to adduser and the
>    smbpasswd PAM module to the passwd PAM stack, we can automagically
>    keep the samba user database in sync with the system one.  
>
>
> Using unencrypted passwords is a really bad idea.
> If we want adduser to add a samba account we either need to rewrite
> adduser to call smbpasswd directly or add some sort of mechanism for
> calling hook scripts from adduser. The former would add a hard
> dependency on Samba which is less than elegant, while the latter
> method also would allow for other system specific stuff to happen
> upon account creation, like sending a welcome mail to the user or what-
> ever you want. Obviously the security implications need to be carefully
> reviewed as the hook scripts will be passed the password of the newly
> created user.
>
> Thoughts?

The most elegant way to do this always seemed to be libpam-smbpass. It
is a PAM password module that stores the user's password in the
smbpasswd file. So after installing it, the user changes his password
and can then log in via Samba.

See
<http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html#id2647348>
for more information.

--
Sam Morris
http://robots.org.uk/

PGP key id 5EA01078
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078


--
ubuntu-devel mailing list
[hidden email]
http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Samba accounts

Soren Hansen
On Thu, Nov 10, 2005 at 12:58:11PM +0000, Sam Morris wrote:
> The most elegant way to do this always seemed to be libpam-smbpass. It
> is a PAM password module that stores the user's password in the
> smbpasswd file. So after installing it, the user changes his password
> and can then log in via Samba.

Yes, that's what I suggested for keeping the passwords in sync, but that
doesn't help when creating the user, does it?

--
| Soren Hansen    | Linux2Go                  | http://Linux2Go.dk/ |
| Seniorkonsulent | Lindholmsvej 42, 2. TH    | +45 46 90 26 42     |
| [hidden email]  | 9400 Norresundby, Denmark | GPG key: E8BDA4E3   |

--
ubuntu-devel mailing list
[hidden email]
http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Samba accounts

Sam Morris
[hidden email] wrote:

> On Thu, Nov 10, 2005 at 12:58:11PM +0000, Sam Morris wrote:
>
>>The most elegant way to do this always seemed to be libpam-smbpass. It
>>is a PAM password module that stores the user's password in the
>>smbpasswd file. So after installing it, the user changes his password
>>and can then log in via Samba.
>
>
> Yes, that's what I suggested for keeping the passwords in sync, but that
> doesn't help when creating the user, does it?

'Creating the user' is synonymous with creating an entry for them in the
smbpasswd file, surely? Which is done when they change their password
or, with one of the examples from the samba documentation, when they log
into any other service.

--
Sam Morris
http://robots.org.uk/

PGP key id 5EA01078
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078


--
ubuntu-devel mailing list
[hidden email]
http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: Samba accounts

Soren Hansen
On tor, 2005-11-10 at 15:54 +0000, Sam Morris wrote:
> >>The most elegant way to do this always seemed to be libpam-smbpass. It
> >>is a PAM password module that stores the user's password in the
> >>smbpasswd file. So after installing it, the user changes his password
> >>and can then log in via Samba.
> > Yes, that's what I suggested for keeping the passwords in sync, but that
> > doesn't help when creating the user, does it?
> 'Creating the user' is synonymous with creating an entry for them in the
> smbpasswd file, surely?

No, I was thinking more along the lines of creating the system user.
That's what I wanted to trigger the creation of a corresponding Samba
account. I think that would give Ubuntu one more of those "It Just
Works(tm)" points. :-)

I agree totally with using the PAM module for when changing the
passwords. I believe I wrote that in my first mail on the subject. The
issue that needs some work done before it'll work is the creation of the
Samba accounts.


Cheers, Søren.


--
ubuntu-devel mailing list
[hidden email]
http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel