[Samba] Samba (v.3) LDAP passwd sync

Andrew Bartlett abartlet at samba.org
Wed Nov 6 22:49:44 GMT 2002 

On Thu, 2002-11-07 at 09:20, Jonathan Higgins wrote:
> in samba v.3 there is a smb.conf directive - ldap passwd sync
> 
> this provides several ldap passwd sync options on the fly including 
> updating the ldap, nt, and lm passwords or just the ldap password. 
> to accomplish this you can use the options: yes, no, or only
> 
> Im not sure if this is the place to ask, but what if the ldap server 
> is using kerberos5 as a backend to store passwords? .. maybe we could 
> add an option to ldap passwd sync = kerberos and then require a few
> more parameters including the a krb5.keytab file location and the fqdn
> of the kerberos server.  Then directly update the kerberos s user 
> principal password at the time of syncronization? ... the users 
> principal would be available from the ldap structure because its 
> stored in the userPassword in the form of 
> {KERBEROS}username at KERB_DOMAIN
> 
> anyway.. im not a great programmer or I would try to do this..

This is what 'unix password sync' and 'pam passwd sync' are about.  The
LDAP option really should not exist - almost the exact same effect can
be had by the use of pam_ldap.  However, this avoided the need to tell
pam_ldap your admin dn and password, and allowed us to say 'the ldap
server takes care of all that'.  

So, for your situation you could write a wrapper around kadmin, or PAM a
module (see pam_krb5_migrate for a start) to do the job.  Samba then
calls that.

I'm looking at fixing this another way however - using Heimdal kerberos,
it's LDAP backend and teach the LDAP server how to update the kerberos
passwords directly as kerberos attributes.  (This tries to avoid the
multiple points of failure I've been fighting at my site all this year).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021106/f788b2b1/attachment.bin

More information about the samba mailing list