Syncing AD password with Samba

Keepcase · July 17, 2009, 3:59pm

Hi all! I was hoping someone could point me in the right direction...

I am running Solaris10, and 3.04 Samba (we might use 3.0.32)

What I want to do:

I want to provide samba shares to our Windows clients with single sign on

Currently what I have:

I have a samba server providing shares for the windows clients

I manually use the following command for every user

smbpasswd -a username
default pass
confirm default pass

Now, to provide single sign on...

The user has to press CTRL + ALT + DEL and point to our Samba server;
input username and default pass and then use their current AD password which will provide promptless access to our samba shares as long as their AD password and smbpasswd are the same.

Now the problem is that the AD passwords change every month which makes this manual intervention rather tedious...

My Question:

I wanted to know what is the simplest (and best) way to provide synced AD password and Samba password, so when a user changes their AD password, the smbpasswd will be updated as well.

Now is this even possible?

Please let me know, as I am still learning and I am a little stumped...

If anyone knows any good docs, or correct terminology to help me search for this more appropriately, it would be greatly appreciated!!

Thanks!!

seg · July 17, 2009, 4:19pm

Looking over the samba docs ( http://us3.samba.org/samba/docs/using_samba/ch04.html ) I believe what you need is "Samba as a Domain Member Server" so that Samba will pass off auth details to the domain controller instead of managing its own list of accounts.

My experience with AD and Samba is very limited so I might be way off course; I posted what seemed to make sense to me and is a best guess.

Keepcase · July 17, 2009, 5:21pm

Unfortunately, I don't think getting trusted by AD is an option...

Is there any other ways to pool this information?

Keepcase · July 20, 2009, 5:01pm

Is there anybody out there that knows of a solution?

We have an LDAP server that can query for AD information; we can make our Solaris box running the Samba server an LDAP client but currently the box is setup with NIS

Is there any other possible way for AD to update the smbpasswd on the Samba server so users would only need to change their AD password once every few weeks as opposed to changing their AD password as well as their smbpasswd?

Any solutions with Samba or cheap alternatives?

Any help of any sort would be greatly appreciated!

Keepcase · July 23, 2009, 4:16pm

Okay... I hope someone can clarify some of this for me (and correct my logic if I am not understanding the functionality if possible)

I've been searching and reading up on Samba and found a few options..

1.) I can have my my Samba server added to AD and have AD authenticate the windows user clients providing SSO to the Samba shares

2.) I can make the use of PAM and have the the smbpasswd change alongside the local unix password using passwd

3.) I can manually change the smbpasswd to match the AD password

4.) Is there anyway to make use of the LDAP AD password to sync with the smbpasswd?

Any Samba experts out there?

Thanks,
Keep