samba sync password with unix password on debian wheezy

Solution 1:

Well... the missing link was:

 libpam-smbpass

So, after installing this packages it works as expected. The Internet's long term memory just brings partial information sometimes. So in order to fight this I am publishing here the correct link how to sync samba passwords with unix passwords, and also my own test.

root@raspberrypi:/home/pi# passwd mag2
passwd: user 'mag2' does not exist
root@raspberrypi:/home/pi# useradd mag2
root@raspberrypi:/home/pi# echo "mag2:12345" | chpasswd
root@raspberrypi:/home/pi# smbclient -L localhost -U mag2
Enter mag2's password: 
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    IPC$            IPC       IPC Service (raspberrypi server)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6]

    Server               Comment
    ---------            -------
    RASPBERRYPI          raspberrypi server

    Workgroup            Master
    ---------            -------
    WORKGROUP            
root@raspberrypi:/home/pi# su pi
pi@raspberrypi ~ $ su mag2
Password: 
Added user mag2.

mag2@raspberrypi:/home/pi$ 

I hope this helps someone else.

update 2017:

libpam-smbpass is deprecated. It seems what replaced it is pam_winbindd. You can install the package libpam-winbind to get it. This however, still does not sync samba passwords with your unix passwords. Instead it allows you to authenticated to unix with a Windows Authentication server (AD). You can find info on that here: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Solution 2:

Wanted to comment on previous answer but could not do it for lack of reputation points. Tried to put the full content on this answer but could not as it said that looked like spam. here is the access to the full content on the wayback machine, and following is the brief version of main points:

Unix and Samba password sync on Debian Etch

Install the following packages:

# apt-get install libpam-smbpass smbclient

Unix -> Samba

In order to update the Samba password whenever a user changes their Unix password, change

/etc/pam.d/common-password: from

password   required   pam_unix.so nullok obscure min=4 max=8 md5

to

password   requisite**  pam_unix.so nullok obscure min=4 max=8 md5
password   required   pam_smbpass.so nullok use_authtok try_first_pass

Changing "required" to "requisite" for pam_unix will make sure that if Unix password change fails, the execution of plugins ends immediately.

In order for this to work, users must already have Samba accounts, and their Samba passwords must match their Unix passwords. Because this is not necessarily the case, we must change

/etc/pam.d/common-auth: from

auth    required        pam_unix.so nullok_secure

to

auth    requisite       pam_unix.so nullok_secure
auth    optional        pam_smbpass.so migrate

This will create a Samba user, if it doesn't already exist, and change it's password to the Unix password, whenever the user logs in using SSH or any other service that uses default system (common-auth) authentication.

You should see a message Added user when logging in using SSH with an account that doesn't already have a Samba account.

Because this will also create a Samba account for root, you might want to disable root access in Samba (Debian Etch has it disabled by default):

/etc/samba/smb.conf:

invalid users = root

Caveat: This will not work if the user logs in via SSH or other services without using a password (for example by using public/private key authentication). In this case, PAM won't have the plain-text password, which is needed to create the Samba password.

Notice: When you modify common-password to also require Samba passwords updates, any currently logged in users will not be able to change their password using "passwd" until they re-login, unless they already have an existing Samba account with a password equal to their Unix password.

Samba -> Unix

We instruct Samba to use PAM when changing passwords:

/etc/samba/smb.conf:

unix password sync = yes
pam password change = yes

Restart Samba using /etc/init.d/samba restart.

Configure PAM to support changing of password by Samba by adding @include common-password:

/etc/pam.d/samba:

@include common-auth
@include common-account
@include common-session
@include common-password

This will use the same mechanism to change passwords when using Samba as when using "passwd". This means it will require an update of the Unix password before attempting to change the Samba password.

Creating new users

use chpasswd to avoid error:

# useradd test
# echo “test:newpass” | chpasswd