Comment 10 for bug 208419

The necessary changes to pam have been uploaded, but now there's a question of how to go about incorporating the libpam-smbpass package so that the password synchronization actually takes place.

I've spoken with Kees Cook about the security implications, and he strongly discourages enabling libpam-smbpass password synchronization by default on the grounds that the NTLM password hashing is weaker than the Unix password hashing. I've conceded this point, so I think the correct thing to do here is to install libpam-smbpass at the same time that samba is installed. For servers this means making it part of the samba-server task, and for desktops that means hooking into nautilus-share so that it will install both packages when filesharing is requested.

In the desktop case, we may want to provide users with some notice about the fact that not all users will automatically have passwords available; however, because the PAM integration will auto-sync passwords from the Unix password store to the Samba password store on every successful /authentication/, not just on password changes, if bug #212098 is addressed then this already takes care of the problem for most desktop users.