Method for users to change Samba password

samba

I have a Samba server for about 5 users (security = user) and I want a way for these users to change their passwords without my involvement so I have the following idea. Is this secure? Is there a better (as in more simple) approach. We used to have SWAT for this but no more.

On server: create restricted user (/bin/rbash + PATH to single directory)

$ sudo adduser --shell /bin/rbash pwchange

$ cat /etc/passwd
  pwchange:x:1001:1001:pwchange,,,:/home/pwchange:/bin/rbash

$ sudo vi /home/pwchange/.bashrc
  Add:
  export PATH=/usr/local/pwchange

$ sudo ln -s /usr/bin/smbpasswd /usr/local/pwchange/smbpasswd

This idea here is that only the sambpasswd command can be run by
the pwchange user. The unix accounts for the Samba users do
not have passwords (i.e. log on via these accounts not allowed).
The samba users would only be able to use this restricted account for self service Samba password changes … no exploring the server!

Client: Change Samba password via Terminal or Putty (Windows)

user1@A3700:~$ ssh pwchange@192.168.1.14

pwchange@V220:~$ smbpasswd -U user1
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user user1

Best Answer

Giving them all access to the same dummy account doesn't sound smart. Even if you lock it down to have access to nothing BUT smbpasswd they could still change eachother's passwords. And there's always possibility of a malicious privilege escalation attack.

Essentially what it sounds like you want is to allow them to run ONLY the smbpasswd command from their own user account while still having an equivalent to a nologin account.

This can be accomplished with the use of the "ForceCommand" option in your sshd_config.

Try this:

  1. Grant each user with a Samba account membership to the same group. For our example let's say "sambaOnly":

    #From Root
groupadd sambaOnly
usermod -a -G sambaOnly Joe

  2. Next, we want to change our sshd_config file to have the following:

    #From Root
cat << EOF >> /etc/ssh/sshd_config
Match Group sambaOnly
    ForceCommand smbpasswd
EOF

Presto. From my understanding (and brief testing) this means when they login via SSH they will automatically have the smbpasswd command run and they will be prompted accordingly. They will never get the chance to have shell access. After the command completes they are automatically disconnected, again never getting a chance to have shell access.

I am not 100% sure this removes all access to the machine remotely. For example, if you are running a different SSH server on the same machine that doesn't ForceCommand them, then they could login via that depending on its access control config.

Also, if they have the opportunity for physical access to a terminal they can login.

However, I think for most situations this is fairly strong access control.

Related Question