[Samba] passwd chat for samba->kerberos passwd-sync

[Torsten Becker]

Hello!

I tried to run a samba3 server as pdc for windowsXP clients with ldap 
backend and kerberos authentication.

I stuck with these two possibilities:

1. Samba is pdc, winxp is domain-member, users are autheticated against 
smbpasswords within ldapsam.
If the kerberos password of the korresponding principal has the same 
password, the users get a ticket from the kdc after windows logon.
But I have two password databases: ldapsam and kerberos

2. Windows XP authenticates directly against the kdc. But Windows is 
then NOT member of a samba-domain, it is in a workgroup named after the 
kerberos-realm.
So I have local organized users, no netlogon features, no roaming 
profiles...

The only hack to get a real domain with pdc and members and just one 
password database that I know abaut, is the ability to sync samba 
passwords with linux passwords.
Syncing the linux passwords in my scenario means syncing the kerberos 
passwords...

Now my question:
Can anyone tell, if I'm right with my config so far, or could it be done 
better?
Can anyone provide me a passwd chat that enables me to sync the 
linux/kerberos passwords?

I tried the normal passwd chat and tried to edit it, but I always run 
into problems. I think it's because with kerberos I have to provide the 
old password first, before I'm asked for the new one.

This are the tested passwd chats:

   passwd program = /usr/bin/passwd %u
;   passwd chat = *Password:* %o\n *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
   passwd chat = *Password:* %o\n *"Enter new password:"* %n\n *"Enter 
it again:"* %n\n *"passwd: password updated successfully"* .
  pam password change = yes


Greetz, Torsten