[Samba] passwd chat for samba->kerberos passwd-sync

Ludek Finstrle ludek.finstrle at pzkagis.cz
Wed Jan 31 14:11:52 GMT 2007

> This are the tested passwd chats:
>   passwd program = /usr/bin/passwd %u
> ;   passwd chat = *Password:* %o\n *Enter\snew\sUNIX\spassword:* %n\n 
> *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
>   passwd chat = *Password:* %o\n *"Enter new password:"* %n\n *"Enter 
> it again:"* %n\n *"passwd: password updated successfully"* .
>  pam password change = yes

I don't understand why you define "pam password change" and
"passwd program" with "passwd chat". You want "pam password change" or
"unix password sync" with ( "passwd program" and "passwd chat" ).

I have it this way:
   unix password sync = yes
   passwd program = /usr/kerberos/sbin/kadmin.local -q 'cpw %u'
   passwd chat = "Authenticating as principal*"\n"Enter password for principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n \n"Password for *"%u"@* changed."\n

I have kdc on the same machine as samba PDC. I think there are more ways
where kdc is running on another machine then samba PDC.

I don't know if kerberos needs original password when it change password
for user as root throught pam (but I think it needs some password).
I have never used it this way.



More information about the samba mailing list