[Samba] passwd chat for samba->kerberos passwd-sync

Torsten Becker t.becker at nc-world.de
Wed Jan 31 13:23:29 GMT 2007


I tried to run a samba3 server as pdc for windowsXP clients with ldap 
backend and kerberos authentication.

I stuck with these two possibilities:

1. Samba is pdc, winxp is domain-member, users are autheticated against 
smbpasswords within ldapsam.
If the kerberos password of the korresponding principal has the same 
password, the users get a ticket from the kdc after windows logon.
But I have two password databases: ldapsam and kerberos

2. Windows XP authenticates directly against the kdc. But Windows is 
then NOT member of a samba-domain, it is in a workgroup named after the 
So I have local organized users, no netlogon features, no roaming 

The only hack to get a real domain with pdc and members and just one 
password database that I know abaut, is the ability to sync samba 
passwords with linux passwords.
Syncing the linux passwords in my scenario means syncing the kerberos 

Now my question:
Can anyone tell, if I'm right with my config so far, or could it be done 
Can anyone provide me a passwd chat that enables me to sync the 
linux/kerberos passwords?

I tried the normal passwd chat and tried to edit it, but I always run 
into problems. I think it's because with kerberos I have to provide the 
old password first, before I'm asked for the new one.

This are the tested passwd chats:

   passwd program = /usr/bin/passwd %u
;   passwd chat = *Password:* %o\n *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
   passwd chat = *Password:* %o\n *"Enter new password:"* %n\n *"Enter 
it again:"* %n\n *"passwd: password updated successfully"* .
  pam password change = yes

Greetz, Torsten

More information about the samba mailing list