[CentOS] How best to allow users to change Samba passwords?

Wed Jul 1 15:38:29 UTC 2009
Alexander Georgiev <alexander.georgiev at gmail.com>

2009/7/1 Kevin Thorpe <kevin at pibenchmark.com>:
> On 01/07/2009 14:29, Jason Pyeron wrote:
>
> We're missing some bits on this. We don't run Windows servers at all so the
> Exchange route is out. Also most of our
> workstations are only windows Home, not Professional so we can't use a
> domain or the ctrl-alt-del approach. I think
> I'm going to have to use openLDAP to do this, but it seems overly hard to
> set up. It will however work for Samba,
> Scalix and our website (Drupal) so I think it's the way to go.

I have successfully used http://www.pgina.org to authenticate Windows
Home users against a Samba domain. Pgina has plugins for different
authentication providers, so openLDAP should work.

Of course you should ensure user and password synchronization between
the 2 servers as a first step. OpenLDAP will work. I have used
http://sourceforge.net/projects/smbldap-tools/ to store samba account
database in openldap.

The real challenge for me 7 years ago, was password expiration. I
believe this requirement will sooner or later come to you. Users tend
to use the same password for years. Therefore a mechanism of password
expiration must be enforced to make sure those passwords will be
changed, also the mechanism observes that passwords are strong and not
rotated.

When I was using a Windows NT4 domain there was a mechanism which
would observe the password expiration of domain users and would
trigger via RPC a password change request on the user workstation.
Upon login, the user would not be granted login until the password is
changed.

I could not reproduce this behavior using samba 2.2.xxx and have not
tried since then.


With best regards
Alexander