On Wed, 2005-01-19 at 20:16 -0500, Mark Roach wrote: > I am getting a bit confused about which methods to use to keep my > passwords synced given the following scenario. > > Samba PDC using LDAP backend. > LDAP uses [EMAIL PROTECTED] type passwords > Sasl mechanism is saslauthd using kerberos5 > > I can use pam like: > > password required pam_smbpass.so > password required pam_krb5.so use_first_pass > > > and then passwd will set both passwords > > but how can I make it so that changing user password from a windows > workstation will also change the kerberos password? "pam passwd change" > does not seem to be doing the trick.
Samba don't have the plaintext password, so can't do things via PAM that require the original plaintext. At my site, I have Heimdal Kerberos backed onto the same LDAP directory as Samba, so they share the passwords for the arcfour-hmac-md5 encryption type, and so there is no need for a separate Kerberos password set. You could also use the smbk5pwd OpenLDAP module, which will fill out the other Kerberos encryption types at the same time. (I'm not yet running this). I think this module should run with 'ldap password sync = only'. If you can't do all that, then you need to write a script for the 'unix password sync' and specify it in 'passwd program'. It must have the ability to set passwords, while being root on your Samba server, without the previous plaintext. (ie, a wrapper around kadmin). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba