This page describes how to "fix" Fedora core installations so samba passwords are correctly updated at the same time as system passwords.
Note: this is still not perfect. Configuration on Caesars is ongoing. stay tuned.
Note: The addusr and ccpass script will now update the Linux and SAMBA password for you in one go.
For more information on pam_smbpass see http://www.samba.org/samba/docs/man/Samba3-HOWTO/pam.html
The configuration files controlling unix authentication and password updates reside under /etc/pam.d/
The changes required to update samba passwords are in /etc/pam.d/system-auth (system-auth-ac under FC5)
Before changes, this file will look like:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so
We need to add the following line into the file BEFORE pam_unix.so
Make sure you match any style differences with the original. (e.g. FC3 prepends /lib/security/$ISA/)
password sufficient pam_smbpass.so nullok use_authtok try_first_pass
The password section of the file should then appear similar to below:
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_smbpass.so nullok use_authtok try_first_pass password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so
If enabling users to set stupid passwords is desired (this is STRONGLY discouraged or the machine could be hacked) then the pam_cracklib line can be commented out.