Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

The secrets of OSX Samba password handling Network
I have set up a G4 with OS X to serve as a file server in a mixed environment. For PCs with Win98, XP and NT to access the server, I had quite some config work to do with the Samba setup. Everything was smooth, but some PC users could still not authenticate with the OS X Samba server. While investigating the problem, I discovered some discrepancies with the generic Samba docs and the OS X Samba version with respect to password handling. Effectively, I had three options to change passwords for users on the OS X server:
  1. Directly change the Unix password from a telnet session with asswd
  2. Using the samba tool smbpasswd
  3. Using an external Mac(!) with AppleShare and using the "change password" dialog there.
It turns out that the smbpasswd command had no effect at all, even if a /var -> db -> samba -> smbpasswd was there, it was ignored.

The method via AppleShare changed the Unix password and the Samba password stored as a hash code in /var -> db -> samba -> hash -> Username. It is this hash-file (and not the smbpasswd file) which controls the access to the server. The command smbpasswd however, does not change this hash file, only the AppleShare dialog was successful.

[robg adds: I haven't tested Samba connectivity from anything other than Win2K and WindowsXP boxes, so I can't verify these claims, but thought they might be useful to someone.]
    •    
  • Currently 1.80 / 5
  You rated: 3 / 5 (5 votes cast)
 
[20,258 views]  

The secrets of OSX Samba password handling | 5 comments | Create New Account
Click here to return to the 'The secrets of OSX Samba password handling' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
The secrets of OSX Samba password handling
Authored by: momerath on Oct 01, '03 12:37:37PM
Directly change the Unix password from a telnet session with asswd?!? Maybe you mean passwd. Mind your p's!

[ Reply to This | # ]
The secrets of OSX Samba password handling
Authored by: ershler on Oct 01, '03 04:13:56PM

What about password server passwords?



[ Reply to This | # ]
The secrets of OSX Samba password handling
Authored by: ershler on Oct 01, '03 04:19:45PM

What about password server passwords?



[ Reply to This | # ]
A way to change samba passwords from the command line
Authored by: jferrara on Oct 02, '03 07:44:19AM

Here is a little perl script replacement for passwd that I wrote
which changes the netinfo password and the samba password.

Be aware of the issues with setuid perl scripts if you're going
to use this.

#!/usr/bin/perl -w
use Term::ReadKey;
use Crypt::SmbHash;

if (@ARGV>1)
{
print "usage: passwd [name]\n";
exit 1;
}

# get the username of the user running the script
($username, $pwd) = getpwuid($<);
if (@ARGV == 1)
{
# if there is an argument, then its the user whos password should be cha
nge
$targetuser = $ARGV[0];
if ($< != 0)
{
# if we aren't running as root, than we can only change the pass
word
# of the current use
if ($targetuser ne $username)
{
print "Permission denied\n";
exit 1;
}
}

# get information for the user whos password is to be changed
($username, $pwd) = getpwnam($targetuser);
}

print "Changing password for $username\n";


# if we're not root, make sure the user knows his current password
if ($< != 0)
{
ReadMode('noecho');
print "Old password:";
$oldpw = ReadLine(0);
ReadMode('restore');
chomp $oldpw;
print "\n";
if (crypt($oldpw, $pwd) ne $pwd)
{
print "Sorry\n";
exit 1;
}
}

# get the new password
do {
ReadMode('noecho');
print "New password:";
$newpw = ReadLine(0);
ReadMode('restore');
chomp $newpw;
print "\n";
if (length($newpw) == 0)
{
print "Password unchanged.\n";
exit 0;
}
ReadMode('noecho');
print "Retype new password:";
$checkpw = ReadLine(0);
ReadMode('restore');
chomp $checkpw;
print "\n";
if ($newpw ne $checkpw)
{
print "Mismatch; try again.\n";
}
} while ($newpw ne $checkpw);

# encrypt the new password
$newpw =~ /(.*)/;
$salt = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64];
$cpw = crypt($1, $salt);
$ENV{'PATH'} = '/bin:/usr/bin';

# generate the window hash of the password
($lm, $nt) = ntlmgen $newpw;
$sambahashfile = "/private/var/db/samba/hash/" . $username;

delete $ENV{ENV};
delete $ENV{IFS};
delete $ENV{CDPATH};
delete $ENV{BASH_ENV};

# set the password in the main system database
if (system("/usr/bin/niutil", "-createprop", "/", "/users/$username", "passwd",
$cpw) != 0)
{
print "Password change failed.\n";
exit 1;
}

# if the user has a samba password hash file, set that to match the new password
if (stat($sambahashfile) ne NULL)
{
open(HASHFILE, ">" . $sambahashfile);
$hashstring = $lm . $nt;
print HASHFILE $hashstring;
close HASHFILE;
}



[ Reply to This | # ]
A way to change samba passwords from the command line
Authored by: Helge33 on Oct 06, '03 08:16:47AM

Hello,

even without trying your script right away I can regognize the essentials which seems to be a confirmation of my observation with samba password handling on OSX. I wonder whether there is no simpler way of handling this and whether there is any more documentation out there in the net?

Thanks for the script, Helge



[ Reply to This | # ]