The Samba-Bugzilla – Bug 3240
libpam-smbpass: Migrate support in password module
Last modified: 2005-11-05 00:34:38 UTC
This bug is an old one in the Debian BTS. I have no precise opinion on the
suggestion as this part of the code is not something I use myself.
The bug submitter proposed a patch which does not apply completely cleanly on
current sources, but seens easy to adapt.
I personnally classify this as a feature request.
The bug submitter said:
The auth component of libpam-smbpass contains an option, 'migrate',
which adds users who authenticated in a prior module to the smbpasswd
file, in order to ease migration to smbpasswd. However, this means that
new users must log in at least once to be added to the smbpasswd file,
making it still partially difficult to keep the passwd and smbpasswd
This patch adds migrate functionality to the password component of
libpam_smbpass. This means that, if the migrate option is set,
libpam_smbpass will add the username and new password to the smbpasswd
file if they are not already in it; if they are, it will change their
If migrate is not enabled, the module will function as before. If
migrate is enabled, but the user is already in the smbpasswd file, it
will function as before.
Though there is the slight security risk that any user's password will
be blindly changed by this module, and the risk that new users will be
happily added by this module, neither is possible if the module is used
properly. If the modules is preceded by pam_unix in requisite mode,
pam_smbpass will not be excecuted if pam_unix fails- which it does in
both cases mentioned above: an unknown user, and an invalid old
This is a security issue because it enables keeping the two different
password databases synchronized, allowing for better system management.
If a password is changed from within Samba, enabling the 'pam password
change' option in smb.conf will keep the UNIX password database current.
If a password is changed via PAM, pam_smbpass will ensure that smbpasswd
is updated. If a new user is added, the first time their password is
changed, when their password is first set, probably by adduser, they
will be automaticly added to smbpasswd.
Care must be taken to remove users from smbpasswd when they are removed
from passwd, but this is not new to pam_smbpass or this module.
I'm having trouble making head or tail of this, but it seems to me that it
requests no change over running an automatic 'make all passwd users smbpasswd
users' script (which would set deliberatly invalid passwords).
It is unclear this is a worthwhile feature, the patch is old and may well work
against the administrator's expectation.