Re: [Devel] Synchronising Linux and Windows passwords

[Ragnar Wisløff <ragnar@xxxxxxxxxxxxx>]

Maximilian Wilhelm wrote:

> Am Donnerstag, den 24 Juli hub Ragnar Wisløff folgendes in die Tasten:
>
>  
>
> > I've got Samba doing updates of the LDAP userPassword attribute when a
> > password change is initiated from a Windows client. However, this requires
> > binding using the admin LDAP user and supplying the admin password.
> > So far this is done in a Perl script and storing this admin password in
> > clear text in the script. I don't like having the password stored like this.
> > Is there another way? Is it somehow possible to access the password so that
> > it is not visible?
> >    
>
> I'm not sure, but it guess, it is possible, to handle the passwordchange
> under Unix via PAM, so it should be possible, to call /usr/bin/passwd
> when changing the (samba-)password. Then only PAM has to know the
> LDAP-admin-password (which is stored in /etc/ldap.secret anyway)
> Any PAM-guru here? :-)
That file will always contain the password? Then I can just have the 
Perl script get it from there. It is run as root now even if that is not 
ideal either.

I have tried to make the script run using the Samba macro %o (old 
password) and using ldapmodify  ... -w $oldpass in the Perl script. This 
works from the command line, but not when run from inside Samba. I tried 
turning on the

passwd chat debug = yes

in smb.conf, but nothing shows up in the logs (is that parameter 
deprecated?).