RADIUS is now entering passwords into Samba for those that have never reset their passwords to log in to the Samba Windows domain.
Due to numerous complaints from people who hadn’t ever changed their passwords, and thus cweren’t ever active in the Samba password file, I rewrote part of the rlm_smb module in RADIUS. It now checks against LDAP first, and if it succeeds there, it changes the Samba password with the supplied password.
The addition to the RADIUS module is a couple of lines of C code that call a perl script. The script does the LDAP checking and Samba password updating. It’s a somewhat kludgy system, but it is working. I put the RADIUS changes in the FreeRADIUS package that I installed on SHANTI, and the perl script is /usr/local/libexec/radldapsmb.pl, which must be called as root (and thus the RADIUS server must run as root, which it was anyway).
As a result, anyone successfully authenticating now can log in to the Windows 2000 computers without having to go through a password reset.
Update
While RADIUS is still working in the mode described here on SHANTI, I have shifted the bulk of authentications (which are e-mail logins from KE) to querying LDAP directly with the pam_ldap module. The above modifications required FreeRADIUS to run in single threaded mode, which was insufficient for the load placed on it by KE. As a result, it was dropping RADIUS request packets and causing login failures. I will keep RADIUS running in this mode for the time being, as it is still useful to have the Samba auto-update feature. However, I suspect we will see a shift away from RADIUS authentication towards direct LDAP authentication.
Posted by Rowan Littell at May 18, 2003 03:26 PM, updated 11:32 AM May 19, 2003