Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Samba user passwords not auto synced with Linux user passwords #1188

JedMeister opened this issue Aug 31, 2018 · 0 comments


Copy link

commented Aug 31, 2018

As noted in a related issue this behaviour is caused by the missing package libpam-smbpass (the tool which synced Linux pam passwords with Samba passwords). It was removed in Samba 4.4 (upstream). My reading suggests that it was due to security concerns and/or buggy behaviour.

As per the commit message, pam_winbind is a partial replacement. However, further reading suggests that the functionality we'd want isn't attainable via this module:

pam_winbind is not a total replacement, as the migrate functionality used
to keep the Samba password up to date with the system password is not
present, but otherwise can provide essentially the same services.

Unfortunately this means that Linux and Samba user passwords won't automagically be synced within the Fileserver (and Fileserver based apps) as they were in previous releases. However, I did read (somewhere) that it is possible to hook into useradd to set the Samba password at the same time the user is created. I have tested this and it currently DOES NOT work OOTB. So either what I read was mistaken, or it needs to be configured somehow (or perhaps I completely misunderstood?!).

[edit] I'm pretty sure I misunderstood! If you run smbpasswd -a <username> then a new Linux user named <username> is created, with a home directory etc!

Another option would be to create a copy of /usr/sbin/adduser (perhaps /usr/local/sbin/adduser?) and add smbpasswd -a "$username" (or something like that) in the right place to auto-set Samba user passwords at user creation time. However, I'm not too keen to do that. Essentially we'd need to maintain that moving forward and it may lull users into thinking that the old functionality still exists and cause further confusion when that doesn't happen.

At this point, the only options appear to either be hacks (e.g. one suggested above), or rely on a remote Samba user database (e.g. completely joining to AD domain). Here are a few other links I found that may (or may not) be relevant:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.