== This page describes how to "fix" Fedora core installations so samba passwords are correctly updated at the same time as system passwords. ==
''''' Note: this is still not perfect. Configuration on Caesars is ongoing. stay tuned. '''''

== Note: The addusr and ccpass script will now update the Linux and SAMBA password for you in one go. ==


For more information on pam_smbpass see http://www.samba.org/samba/docs/man/Samba3-HOWTO/pam.html

The configuration files controlling unix authentication and password updates reside under /etc/pam.d/

The changes required to update samba passwords are in /etc/pam.d/system-auth (system-auth-ac under FC5)

=== Before changes, this file will look like: ===
{{{
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so
account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
session     required      pam_limits.so
session     required      pam_unix.so
}}}
=== We need to add the following line into the file BEFORE pam_unix.so ===
Make sure you match any style differences with the original. (e.g. FC3 prepends /lib/security/$ISA/)

{{{
password    sufficient    pam_smbpass.so nullok use_authtok try_first_pass
}}}
=== The password section of the file should then appear similar to below: ===
{{{
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_smbpass.so nullok use_authtok try_first_pass
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so
}}}
If enabling users to set stupid passwords is desired '''('''this is '''''STRONGLY discouraged''''' or the machine could be hacked''')''' then the pam_cracklib line can be commented out.