[pptp-server] Poor Man's PPTP/Samba password integration

Patrick Reid PReid at candesco.com
Tue Oct 9 09:46:32 CDT 2001

I know that there is a patch out there to allow people to authenticate using
smbpasswd. But, if you are like me and have had to set up your users with
entries in the smbusers file so that they can log in as "Joe Bloggs" instead
of "jbloggs", this patch doesn't work. I was about to implement a further
modification to get pppd to check the smbusers file first and replace the
name with the mapped name if appropriate (which would have been rough as I
am nobody's idea of a C programmer) when it occurred to me that I could use
Samba's password unix password sync and related options to take care of
this. As follows:

modify smb.conf to contain

        unix password sync = Yes
        passwd program = /samba/pptp_passwd.d/vpn_linux_passwd %u
        passwd chat = *New*password* %n\n *successfully*

create a script called vpn_linux_paaswd in the appropriate directory. Yes, I
know, it puts all passwords in plaintext. But the folder is not accessible
fromany Samba share and both the directory and the file have their perms set
to 700 and owned by root. I figure if someone can read files which are
supposed to only be visible to root, I have more problems than may users'
password integrity! My vpn_linux_passwd script is as follows:

# This script is designed to allow Samba to both change the Linux password
# and the chap password file when it updates the Samba password. Basically,
# makes "unix password sync = true" be equivalent to a (fictitious) "unix &
# pptp password sync = true"

if [ -z "$1" ]; then
        echo usage: $0 username
        exit 1

echo -n "New password: "

rm -rf /pass.tmp
echo "$NEWPASS" | /usr/bin/passwd --stdin $1 > /pass.tmp 2>&1

grep successfully /pass.tmp >/dev/null
if [ $? == 0 ]; then
        echo \"$NEWPASS\" >/samba/pptp_passwd.d/$1
        chown root. /samba/pptp_passwd.d/$1
        chmod 600 /samba/pptp_passwd.d/$1
        cat /pass.tmp
        rm -f /pass.tmp
        exit 0
        echo "Password change attempt failed."
        rm -f /pass.tmp
        exit 1

My chap-secrets file has entries that look like this for each user (note
that I am using the chapms-strip-domain patch):

	"Joe Bloggs"	*	@/samba/pptp_passwd.d/jbloggs		*
	"jbloggs"		*	@/samba/pptp_passwd.d/jbloggs		*

So no matter how my users authenticate; long or short form, with or without
DOMAIN\user format, they are OK. And I only have to do the initial setup; no
on-going maintenance.

Patrick Reid

More information about the pptp-server mailing list