# Samba4 password sync on Gentoo?

## The_Great_Sephiroth

I cannot seem to get Samba password sync working. I can manually create users and passwords, but I am not sure how to sync them in Samba 4. I believe my problem is changing the password since it asks for the current password, then new one twice. I am running 4.2.11 from Gentoo. Flags set are ads, aio, client, quota, winbind and it is in standalone (no domain) mode.

```

[global]

workgroup = RTFP

realm = RTFP

server string = %h Workstation

server role = standalone server

security = user

unix password sync = yes

passwd program = /usr/bin/passwd %u

passwd chat = ???

log file = /var/log/samba/log.%m

max log size = 50

dns proxy = No

idmap config * : backend = tdb

[Shared]

comment = Shared Documents

path = /home/shared

valid users = @users

force user = root

force group = users

read only = No

create mode = 0660

directory mode = 0770

```

The share works as expected, so all is good there. I just need to know how to keep my passwords synced. I have several systems in a workgroup environment with multiple users and it gets chaotic changing this stuff manually frequently.

----------

## vaxbrat

This can get involved depending on what you are doing with your samba setup.  Our standard model at work is to have a winders server set up as an AD domain controller.  It looks like you have Linux doing the honors here so you are going to have to do things a bit differently from my model of using Winbind to do the password chores:

This is an example pam system-auth-ac for centos6.x which I also force in place of the password-auth-ac that RedHat likes using.  For Gentoo you will be hacking up your /etc/pam.d/system-auth file:

```
auth        required      pam_env.so

auth       required     pam_faillock.so preauth silent deny=3 unlock_time=3600 fail_interval=900 root_unlock_time=600 audit

auth       required     pam_lastlog.so inactive=90

auth        sufficient    pam_unix.so try_first_pass

auth       [default=die] pam_faillock.so authfail deny=3 unlock_time=3600 fail_interval=900 root_unlock_time=600 audit

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_winbind.so use_first_pass

auth        required      pam_deny.so

account     required      pam_access.so

account       required     pam_faillock.so

account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_winbind.so

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type= difok=1 minlen=14 dcredit=-1 ocredit=-1 ucredit=-1 lcredit=-1

password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok remember=24

password    sufficient    pam_winbind.so use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     optional      pam_oddjob_mkhomedir.so umask=0077

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session       [default=1]   pam_lastlog.so nowtmp showfailed

session       optional     pam_lastlog.so silent noupdate showfailed

session     required      pam_unix.so
```

To handle sync on the password change look at the items in the password stack above.  I hit pam_cracklib first to do the whole prompting of new password and then applying the complexity tests that are needed to satisfy the "suits", in this case, US govt standards for classified IS systems which require a minimum of 14 chars, and at least one of each class of char (upper, lower, digit and "other").  The standard also now requires that the password be different from the 24 previously used passwords that the user had set, thus the "remember=24" on the pam_unix module.  pam_winbind takes the password returned from pam_cracklib and throws it over the wall to the Windows Active Directory DC and thus accomplishes the transparent synching of passwords that we want with the whole single sign-on concept.

/etc/nsswitch.conf also needs to have winbind set up in it for the searching of local and then of AD users and passwords such as:

```
passwd:     files winbind

shadow:     files winbind

group:      files winbind
```

So going back to what you need to do for synching up the smbpasswd database, you will probably be using pam_smbpass.  Doing a quick google on it yields something from our bsd friends among other things:

https://forums.freebsd.org/threads/49581/

I suspect you will end up with something like this in your system-auth in place of the pam_winbind.so stanza above:

```
password    sufficient    pam_smbpass.so use_authtok migrate
```

----------

