[Samba] LDAP + SASL (kerberos) password syncing

Thu Jan 20 22:16:39 GMT 2005

On Wed, 2005-01-19 at 20:16 -0500, Mark Roach wrote:
> I am getting a bit confused about which methods to use to keep my
> passwords synced given the following scenario.
> 
> Samba PDC using LDAP backend.
> LDAP uses {SASL}princ at REALM type passwords
> Sasl mechanism is saslauthd using kerberos5
> 
> I can use pam like:
> 
> password  required  pam_smbpass.so
> password  required pam_krb5.so use_first_pass
> 
> 
> and then passwd will set both passwords
> 
> but how can I make it so that changing user password from a windows
> workstation will also change the kerberos password? "pam passwd change"
> does not seem to be doing the trick.

Samba don't have the plaintext password, so can't do things via PAM that
require the original plaintext.  At my site, I have Heimdal Kerberos
backed onto the same LDAP directory as Samba, so they share the
passwords for the arcfour-hmac-md5 encryption type, and so there is no
need for a separate Kerberos password set.  

You could also use the smbk5pwd OpenLDAP module, which will fill out the
other Kerberos encryption types at the same time.  (I'm not yet running
this).  I think this module should run with 'ldap password sync = only'.

If you can't do all that, then you need to write a script for the 'unix
password sync' and specify it in 'passwd program'.  It must have the
ability to set passwords, while being root on your Samba server, without
the previous plaintext.  (ie, a wrapper around kadmin).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050121/a540ecce/attachment.bin