[Samba] passwd chat for samba->kerberos passwd-sync
t.becker at nc-world.de
Wed Jan 31 13:23:29 GMT 2007
I tried to run a samba3 server as pdc for windowsXP clients with ldap
backend and kerberos authentication.
I stuck with these two possibilities:
1. Samba is pdc, winxp is domain-member, users are autheticated against
smbpasswords within ldapsam.
If the kerberos password of the korresponding principal has the same
password, the users get a ticket from the kdc after windows logon.
But I have two password databases: ldapsam and kerberos
2. Windows XP authenticates directly against the kdc. But Windows is
then NOT member of a samba-domain, it is in a workgroup named after the
So I have local organized users, no netlogon features, no roaming
The only hack to get a real domain with pdc and members and just one
password database that I know abaut, is the ability to sync samba
passwords with linux passwords.
Syncing the linux passwords in my scenario means syncing the kerberos
Now my question:
Can anyone tell, if I'm right with my config so far, or could it be done
Can anyone provide me a passwd chat that enables me to sync the
I tried the normal passwd chat and tried to edit it, but I always run
into problems. I think it's because with kerberos I have to provide the
old password first, before I'm asked for the new one.
This are the tested passwd chats:
passwd program = /usr/bin/passwd %u
; passwd chat = *Password:* %o\n *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd chat = *Password:* %o\n *"Enter new password:"* %n\n *"Enter
it again:"* %n\n *"passwd: password updated successfully"* .
pam password change = yes
More information about the samba