[Samba] Kerberos Password Changes

Sean Elble elbles at sessys.com
Fri Jan 12 07:58:31 GMT 2007

Hi all,

I apologize if I am getting into a subject that has been hashed and rehashed
endlessly on this list, but I am just not finding exactly what I am looking
for in terms of a response.

At the moment, I have Linux and Solaris servers happily authenticating to my
MIT Kerberos KDC, and fetching user information via an OpenLDAP server with
a StartTLS connection (and authenticating to the LDAP server via their
Kerberos ticket - very neat stuff, and http://aput.net/~jheiss/krbldap/ was
very helpful in setting it all up, albeit with a few errors and omissions).
Samba is also using the same LDAP directory to store its SAM database,
including user passwords, which can thus obviously differ from their
Kerberos passwords.

All the Linux and UNIX systems authenticate via Kerberos (including all
services running on each of the UNIX systems, such as Sendmail, Dovecot,
SSH, et cetra). This leaves the Windows machines as the only ones who cannot
authenticate via Kerberos AND remain part of the Samba domain. I do know
that Windows 2000 and XP systems can authenticate via a MIT Kerberos server,
but that also involves maintaining local user accounts on each machine,
something I am not very fond of doing.

I am now left with the question of how to keep the passwords in sync,
considering there is no better option (that I know of, anyway -
enlightenment here would be welcome if it can be offered). The one thought I
had was to write a script that would invoke kadmin with a principal that had
change password privileges (and the password for said principal saved within
that script), and then change it that way. I do not particularly care for
the idea of saving a password that has such capabilities in a script, even
if owned by root and chmod'ed 700, but I cannot think of any better options,
particularly at 2:45 AM EST. :-) If anyone has any tips or scripts that they
would be willing to contribute, that would be fantastic. I am hoping to
present a presentation on LDAP, Kerberos, and Samba integration for one of
the Virginia Tech Linux & UNIX User's Group meetings this semester, and this
is really the only stumbling block left.

Oh, and just out of curiosity, and if anyone has a second or two, any ideas
for how/if Samba4 will handle "external" LDAP and Kerberos data sources?

Lastly, I am still amazed at how smoothly all of this stuff works,
especially combined - as always, a round of applause to all the Samba
developers, Jason Heiss for writing a terrific how-to on implementing
Kerberos and OpenLDAP, and the IDEALX guys for their how-to as well.

|  Sean Elble                                     |
|  Virginia Tech, Class of 2008                   |
|  Vice President, VTLUUG                         |
|  E-Mail:   elbles at sessys.com                    |
|  Web:      http://www.sessys.com/~elbles/       |

More information about the samba mailing list