[Samba] Sync password (with MIT-kerberos server) and migration

FM dist-list at lexum.umontreal.ca
Mon Jan 17 13:17:03 GMT 2005


Hello turbo,

It's funny that you help me in all mailing List connected to ldap as a
backend ;-)

Yes my LDAP server is openldap.
Because I use your how-to, my UserPassword is : {SASL}principal at REALM
And It is working because I can use simple bind to do a ldapsearch.
Sorry but I do not understand :

> Use userPassword: {SASL}principal at REALM
> then ldap will 'ask' the KDC, and samba don't have to care...

Correct me if I am wrong but : UserPassword is for unix password right ?
Can samba use UserPassword (so in my case, sasl, so kerberos password) to
authenticate the user ?


Thanks,
FM

On 17/01/05 03:30, "Turbo Fredriksson" <turbo at bayour.com> wrote:

>>>>>> "FM" == FM  <dist-list at lexum.umontreal.ca> writes:
> 
>     FM> Now, LDAP /KERBEROS is replacing NIS and Samba (with ldap
>     FM> backend) will replace the local backend .
> 
> Is your LDAP server by any chance OpenLDAP? If not, my examples probably
> won't work...
> 
>     FM> 2- Because Samba can not use MIT-Kerberos for password (as far
>     FM> as I know)
> 
> Don't know if this is true, but it doesn't matter. Use
>       userPassword: {SASL}principal at REALM
> then ldap will 'ask' the KDC, and samba don't have to care...
> 
>     FM> When user from Windows want to change his password,
>     FM> samba will use a custom script (not created yet ) to also so
>     FM> update the Kerberos password (if you have examples they're
>     FM> more then welcome).
> 
> With some additional tests around this, all you need is a one liner:
> 
>     kadmin -q "cpw -pw secret principal"
> 
>     FM> But the big problem is Linux users : If
>     FM> they want to update they password, they use kpasswd but it
>     FM> will not update samba password.
> 
> As said above, using {SASL}, that doesn't matter...
> 
> 
> Please have a look at http://www.bayour.com/LDAPv3-HOWTO.html. It's
> old, but there should be SOMETHING in there for you...




More information about the samba mailing list