samba sync password with unix password on debian wheezy
Well... the missing link was:
libpam-smbpass
So, after installing this packages it works as expected. The Internet's long term memory just brings partial information sometimes. So in order to fight this I am publishing here the correct link how to sync samba passwords with unix passwords, and also my own test.
root@raspberrypi:/home/pi# passwd mag2
passwd: user 'mag2' does not exist
root@raspberrypi:/home/pi# useradd mag2
root@raspberrypi:/home/pi# echo "mag2:12345" | chpasswd
root@raspberrypi:/home/pi# smbclient -L localhost -U mag2
Enter mag2's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (raspberrypi server)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]
Server Comment
--------- -------
RASPBERRYPI raspberrypi server
Workgroup Master
--------- -------
WORKGROUP
root@raspberrypi:/home/pi# su pi
pi@raspberrypi ~ $ su mag2
Password:
Added user mag2.
mag2@raspberrypi:/home/pi$
I hope this helps someone else.
update 2017:
libpam-smbpass
is deprecated. It seems what replaced it is pam_winbindd
. You can install the package libpam-winbind
to get it. This however, still does not sync samba passwords with your unix passwords.
Instead it allows you to authenticated to unix with a Windows Authentication server (AD). You can find info on that here: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
Wanted to comment on previous answer but could not do it for lack of reputation points. Tried to put the full content on this answer but could not as it said that looked like spam. here is the access to the full content on the wayback machine, and following is the brief version of main points:
Unix and Samba password sync on Debian Etch
Install the following packages:
# apt-get install libpam-smbpass smbclient
Unix -> Samba
In order to update the Samba password whenever a user changes their Unix password, change
/etc/pam.d/common-password: from
password required pam_unix.so nullok obscure min=4 max=8 md5
to
password requisite** pam_unix.so nullok obscure min=4 max=8 md5
password required pam_smbpass.so nullok use_authtok try_first_pass
Changing "required" to "requisite" for pam_unix will make sure that if Unix password change fails, the execution of plugins ends immediately.
In order for this to work, users must already have Samba accounts, and their Samba passwords must match their Unix passwords. Because this is not necessarily the case, we must change
/etc/pam.d/common-auth: from
auth required pam_unix.so nullok_secure
to
auth requisite pam_unix.so nullok_secure
auth optional pam_smbpass.so migrate
This will create a Samba user, if it doesn't already exist, and change it's password to the Unix password, whenever the user logs in using SSH or any other service that uses default system (common-auth) authentication.
You should see a message Added user when logging in using SSH with an account that doesn't already have a Samba account.
Because this will also create a Samba account for root, you might want to disable root access in Samba (Debian Etch has it disabled by default):
/etc/samba/smb.conf:
invalid users = root
Caveat: This will not work if the user logs in via SSH or other services without using a password (for example by using public/private key authentication). In this case, PAM won't have the plain-text password, which is needed to create the Samba password.
Notice: When you modify common-password to also require Samba passwords updates, any currently logged in users will not be able to change their password using "passwd" until they re-login, unless they already have an existing Samba account with a password equal to their Unix password.
Samba -> Unix
We instruct Samba to use PAM when changing passwords:
/etc/samba/smb.conf:
unix password sync = yes
pam password change = yes
Restart Samba using /etc/init.d/samba restart.
Configure PAM to support changing of password by Samba by adding @include common-password:
/etc/pam.d/samba:
@include common-auth
@include common-account
@include common-session
@include common-password
This will use the same mechanism to change passwords when using Samba as when using "passwd". This means it will require an update of the Unix password before attempting to change the Samba password.
Creating new users
use chpasswd to avoid error:
# useradd test
# echo “test:newpass” | chpasswd