[Samba] LDAP + SASL (kerberos) password syncing

Mark Roach mrroach at okmaybe.com
Fri Jan 21 01:58:45 GMT 2005


Hi, Andrew.

On Fri, 2005-01-21 at 09:16 +1100, Andrew Bartlett wrote:
> Samba don't have the plaintext password, so can't do things via PAM that
> require the original plaintext.  At my site, I have Heimdal Kerberos
> backed onto the same LDAP directory as Samba, so they share the
> passwords for the arcfour-hmac-md5 encryption type, and so there is no
> need for a separate Kerberos password set.  

Ahh, that makes sense. I am using heimdal, not using the ldap backend
yet though. It sounds like the method described here:
https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
right?

> You could also use the smbk5pwd OpenLDAP module, which will fill out the
> other Kerberos encryption types at the same time.  (I'm not yet running
> this).  I think this module should run with 'ldap password sync = only'.

That seems like the ideal situation. It sounds like I'm not going to be
able to pull this off with the versions of openldap and heimdal in the
debian repositories though. Not a big deal, but not ideal for my
purposes. Perhaps I'll do some custom packaging.

> If you can't do all that, then you need to write a script for the 'unix
> password sync' and specify it in 'passwd program'.  It must have the
> ability to set passwords, while being root on your Samba server, without
> the previous plaintext.  (ie, a wrapper around kadmin).

I have already wrapped some of the kadmin library for use from python,
I'm not quite sure how to accomplish this piece of it, but it might be
worth the effort...

Thanks very much for your response.

-Mark



More information about the samba mailing list