Diff for "SambaPasswordSync"

This page describes how to "fix" Fedora core installations so samba passwords are correctly updated at the same time as system passwords.

The configuration files controlling unix authentication and password updates reside under /etc/pam.d/

The changes required to update samba passwords are in /etc/pam.d/system-auth (system-auth-ac under FC5)

Before changes, this file will look like:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     required      pam_limits.so
session     required      pam_unix.so

We need to add the following line into the file BEFORE pam_unix.so

Make sure you match any style differences with the original. (e.g. FC3 prepends /lib/security/$ISA/)

password    sufficient    pam_smbpass.so nullok use_authtok try_first_pass

The password section of the file should then appear similar to below:

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_smbpass.so nullok use_authtok try_first_pass
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

If enabling users to set stupid passwords is desired (this is STRONGLY discouraged or the machine could be hacked) then the pam_cracklib line can be commented out.