Having a regular password and an encrypted version of the same password can be troublesome when you need to change both of them. Luckily, Samba affords you a limited ability to keep your passwords synchronized. Samba has a pair of configuration options that can be used to automatically update a user's regular Unix password when the encrypted password is changed on the system. The feature can be activated by specifying the
unix
password
sync global configuration option:
[global]
encrypt passwords = yes
smb passwd file = /usr/local/samba/private/smbpasswd
unix password sync = yes
With this option enabled, Samba will attempt to change the user's regular password (as
root) when the encrypted version is changed with
smbpasswd. However, there are two other options that have to be set correctly in order for this to work.
The easier of the two is
passwd
program. This option simply specifies the Unix command used to change a user's standard system password. It is set to
/bin/passwd
%u by default. With some Unix systems, this is sufficient and you do not need to change anything. Others, such as Red Hat Linux, use
/usr/bin/passwd instead. In addition, you may want to change this to another program or script at some point in the future. For example, let's assume that you want to use a script called
changepass to change a user's password. Recall that you can use the variable
%u to represent the current Unix username. So the example becomes:
[global]
encrypt passwords = yes
smb passwd file = /usr/local/samba/private/smbpasswd
unix password sync = yes
passwd program = changepass %u
Note that this program will be called as the
root user when the
unix
password
sync option is set to
yes. This is because Samba does not necessarily have the plaintext old password of the user.
The harder option to configure is
passwd
chat. The
passwd
chat option works like a Unix chat script. It specifies a series of strings to send as well as responses to expect from the program specified by the
passwd
program option. For example, this is what the default
passwd
chat looks like. The delimiters are the spaces between each groupings of characters:
passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*
The first grouping represents a response expected from the password-changing program. Note that it can contain wildcards (*), which help to generalize the chat programs to be able to handle a variety of similar outputs. Here,
*old*password* indicates that Samba is expecting any line from the password program containing the letters
old followed by the letters
password, without regard for what comes on either side or between them. Once instructed to, Samba will wait indefinitely for such a match. Is Samba does not receive the expected response, the password will fail.
The second grouping indicates what Samba should send back once the data in the first grouping has been matched. In this case, you see
%o\n. This response is actually two items: the variable
%o represents the old password, while the
\n is a newline character. So, in effect, this will "type" the old password into the standard input of the password changing program, and then "press" Enter.
Following that is another response grouping, followed by data that will be sent back to the password changing program. (In fact, this response/send pattern continues indefinitely in any standard Unix
chat script.) The script continues until the final pattern is matched.[]
You can help match the response strings sent from the password program with the characters listed in
Table 6.6. In addition, you can use the characters listed in
Table 6.7 to help formulate your response.
Table 6.6: Password Chat Response Characters
|
Character |
Definition |
|
* |
Zero or more occurrences of any character. |
|
" " |
Allows you to include matching strings that contain spaces. Asterisks are still considered wildcards even inside of quotes, and you can represent a null response with empty quotes. |
Table 6.7: Password Chat Send Characters
|
Character |
Definition |
|
%o |
The user's old password |
|
%n |
The user's new password |
|
\n |
The linefeed character |
|
\r |
The carriage-return character |
|
\t |
The tab character |
|
\s |
A space |
For example, you may want to change your password chat to the following entry. This will handle scenarios in which you do not have to enter the old password. In addition, this will also handle the new
all
tokens
updated
successfully string that Red Hat Linux sends:
passwd chat = *new password* %n\n *new password* %n\n *success*
Again, the default chat should be sufficient for many Unix systems. If it isn't, you can use the
passwd
chat
debug global option to set up a new chat script for the password change program. The
passwd
chat
debug option logs everything during a password chat. This option is a simple boolean, as shown below:
[global]
encrypted passwords = yes
smb passwd file = /usr/local/samba/private/smbpasswd
unix password sync = yes
passwd chat debug = yes
log level = 100
After you activate the password chat debug feature, all I/O received by Samba through the password chat will be sent to the Samba logs with a debug level of 100, which is why we entered a new log level option as well. As this can often generate multitudes of error logs, it may be more efficient to use your own script, by setting the
passwd
program option, in place of
/bin/passwd to record what happens during the exchange. Also, make sure to protect your log files with strict file permissions and to delete them as soon as you've grabbed the information you need, because they contain the passwords in plaintext.
The operating system on which Samba is running may have strict requirements for valid passwords in order to make them more impervious to dictionary attacks and the like. Users should be made aware of these restrictions when changing their passwords.
Earlier we said that password synchronization is limited. This is because there is no reverse synchronization of the encrypted
smbpasswd file when a standard Unix password is updated by a user. There are various strategies to get around this, including NIS and freely available implementations of the pluggable authentication modules (PAM) standard, but none of them really solve all the problems yet. In the future, when Windows 2000 emerges, we will see more compliance with the Lightweight Directory Access Protocol (LDAP), which promises to make password synchronization a thing of the past.
