libpam-smbpass syncs unix passwords when "unix password sync" is off
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
samba (Ubuntu) |
Opinion
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: samba
Samba defaults to "unix password sync" off, but this package is installed by default, and ignores that setting and sync's on it's own initiative. I see NO reason why this should be installed by default. Instead there could be a comment in the default smb.conf shipped, that says "instead of using unix password sync consider package X".
I strongly suspect there's a security consern aswell here, I REALLY don't want my password auto sync'ed to multiple places by default. I have sha512 encryption on /etc/shadow for a reason.
I haven't had a user enabled in samba for ages, because it kept resetting the password. To find the solution I looked in samba logs, and samba configuration files, and found nothing to explain this behavior. Then I stumbled over this thread to find the solution to what was going on:
http://
Could you precise what you mean by "installed by default" ?
It certainly isn't installed on Ubuntu Desktop by default, and it's not installed in the default Server install either. It's installed in the "Samba File Server" task in the server installer. It also gets installed when you enable file sharing on the desktop. In both cases that sounds like a sane default behavior.
The reason why it syncs unix passwords when "unix password sync" is off is that libpam-smbpass is an alternative way of syncing Unix and Samba passwords: instead of syncing them at passwd change (which is what "unix password sync" does), libpam-smbpass (if present) syncs them when the user logs in. The way to disable it is to uninstall libpam-smbpass.