SMB2NIS - smb2nis.tgz

Synchronization of Samba PDC passwords with NIS (Yellow Pages) passwords

Samba, acting as PDC (Primary Domain Controller) provides a way to synchronize Windows Domain passwords with Unix passwords. To achieve this two options must be set in then global section on smb.conf: 

unix password sync = yes
passwd program = full_path_to_program %u

With these options set, each time a user asks windows to change his domain password, before changing the domain password, Samba PDC will call the program specified in "passwd program", passing the username as first argument. Samba will then expect a double prompt for the new password and finally a success string, if this does not happen the operation will abort and the domain password isnīt changed. This dialog can be configured, but the default is normaly sufficient.

The problem

When encrypted password are used (required for PDC operation) there is a minor problem:

The user's old (current) password is not available

Because the "passwd program" is called as root this is not a problem when you use the normal passwd command to change the files /etc/passwd and/or /etc/shadow. On the other hand if you are using NIS this may be a big problem.

To change the NIS password the yppasswd must be used, however yppasswd always requires (even when called by root) either the user current password or, if compiled with that option, the root password. The user's old password is not available and the root password is not the kind of thing you would like to put in a script.

If your NIS source files are in /etc, you can build a script to call passwd, and then pwupdate, in this case you don't need smb2nis. Using /etc files as NIS source means local users information (root, ...) will be available on the network, some administrators don't like that.

My solution

To solve this problem I wrote this little program to directly change the password in the NIS source files and then call pwupdate command to update the passwords in the NIS database. It works the same way as the yppasswdd daemon which is used by the yppasswd command.

THIS SOLUTION IS ONLY VALID IF THE PDC CONTROLLER AND THE NIS SERVER ARE ON THE SAME MACHINE

Setting up

  1. Untar smb2nis.tgz and go to directory smb2nis just created.
  2. Edit the smb2nis.c file to set the required paths in your system.
  3. Run make, you may have to switch the gcc line in Makefile to compile ok.
  4. Copy smb2nis binary file to the appropriate place and edit smb.conf option "passwd program",
    don't forget "full path" and "%u".
  5. Copy the "nochange" file to the appropriate place, this file can be use to deny some users the password
    change, root should be there.

BEFORE TESTING IS WISE TO BACKUP THE NIS SOURCE FILES