Fedora directory users - Nov 2006 - FDS - using one password for Samba and Linux accounts

Hi List,

I have FDS configured in the server. There are windows and Linux client in
our network. Windows users also have Linux. 

Linux clients are authenticating to fds. Samba server is running in a
different server and refers to the fds server(ldapbackend). For windows i
had to create a separate password with smbpasswd -a username for each user
which means samba password can be different from Linux password. Also the
password policy doesn''t apply to the smbpasswd i create.

Is there a way to use one password for both windows and linux logins?

TIA,
SK

Saravana Kumar wrote:
> Hi List,
>
> I have FDS configured in the server. There are windows and Linux client in
> our network. Windows users also have Linux. 
>
> Linux clients are authenticating to fds. Samba server is running in a
> different server and refers to the fds server(ldapbackend). For windows i
> had to create a separate password with smbpasswd -a username for each user
> which means samba password can be different from Linux password. Also the
> password policy doesn''t apply to the smbpasswd i create.
>
> Is there a way to use one password for both windows and linux logins?
>   
No.  This has been on our wishlist for some time now.
http://directory.fedora.redhat.com/wiki/Wishlist#Passwords
> TIA,
> SK
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

El mar, 21-11-2006 a las 10:19 -0700, Richard Megginson
escribió:
> Saravana Kumar wrote:
> > Is there a way to use one password for both windows and linux logins?
> >   
> No.  This has been on our wishlist for some time now.
> http://directory.fedora.redhat.com/wiki/Wishlist#Passwords
Could the Perl Crypt-SmbHash module be useful?

http://search.cpan.org/~bjkuit/Crypt-SmbHash-0.12/SmbHash.pm

I''m experimenting with it to create ldif files with NT and LanMan
passwords.
-- 
Oscar A. Valdez

Oscar A. Valdez wrote:
> El mar, 21-11-2006 a las 10:19 -0700, Richard Megginson escribió:
>   
>> Saravana Kumar wrote:
>>     
>>> Is there a way to use one password for both windows and linux
logins?
>>>   
>>>       
>> No.  This has been on our wishlist for some time now.
>> http://directory.fedora.redhat.com/wiki/Wishlist#Passwords
>>     
>
> Could the Perl Crypt-SmbHash module be useful?
>   
Could be useful for generating the initial passwords, but not for 
keeping them in sync on the server side.
> http://search.cpan.org/~bjkuit/Crypt-SmbHash-0.12/SmbHash.pm
>
> I''m experimenting with it to create ldif files with NT and LanMan
> passwords.
>

Richard Megginson wrote:
> Oscar A. Valdez wrote:
>> El mar, 21-11-2006 a las 10:19 -0700, Richard Megginson escribió:
>>   
>>> Saravana Kumar wrote:
>>>     
>>>> Is there a way to use one password for both windows and linux
logins?
>>>>   
>>>>       
>>> No.  This has been on our wishlist for some time now.
>>> http://directory.fedora.redhat.com/wiki/Wishlist#Passwords
>>>     
>>
>> Could the Perl Crypt-SmbHash module be useful?
>>   
> Could be useful for generating the initial passwords, but not for
> keeping them in sync on the server side.
>> http://search.cpan.org/~bjkuit/Crypt-SmbHash-0.12/SmbHash.pm
>>
>> I''m experimenting with it to create ldif files with NT and
LanMan
>> passwords.
>>
Thanks for the info 

Regds,
SK

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Saravana Kumar wrote:
> Hi List,
> 
> I have FDS configured in the server. There are windows and Linux client in
> our network. Windows users also have Linux. 
> 
> Linux clients are authenticating to fds. Samba server is running in a
> different server and refers to the fds server(ldapbackend). For windows i
> had to create a separate password with smbpasswd -a username for each user
> which means samba password can be different from Linux password. Also the
> password policy doesn''t apply to the smbpasswd i create.
> 
> Is there a way to use one password for both windows and linux logins?
it seems imposible.
btw on my system (postfix+dovecot+squirrelmail+FDS+samba) i''m having
the
same problem.

on sysadmin side that should be no problem at all because by using
webmin the userPassword and sambaNTPassword+sambaLMPassword is always
syncronized.

the problem was on user side (windows user), when they change their
password it only change sambaNTPassword and sambaLMPassword. this
problem should be solved too by using option "unix password
sync"+"passwd program"+"passwd chat" on samba so that
userPassword can
be sync.
but i''m having error message "you do not have permission to change
password".

on samba guidance when "unix password sync" set to "yes" the
"passwd
program" must be run as root. but i can not find any guidance on how to
run it with root permission.

does anyone know how to solve this problem?

thanks
sigid
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFZR8AqiPNNgPlDu0RAk/TAKC6tZqbXwsSYtCFjosx2U0zb44Q6ACbBork
NEXfN7uIYcMyiSxQH6LdWpc=Mtcu
-----END PGP SIGNATURE-----

On 11/22/06, sigid@JINLab <sigidwu@gmail.com>
wrote:
> on sysadmin side that should be no problem at all because by using
> webmin the userPassword and sambaNTPassword+sambaLMPassword is always
> syncronized.
>
> the problem was on user side (windows user), when they change their
> password it only change sambaNTPassword and sambaLMPassword. this
> problem should be solved too by using option "unix password
> sync"+"passwd program"+"passwd chat" on samba so
that userPassword can
> be sync.
> but i''m having error message "you do not have permission to
change
> password".
Try using Samba''s "ldap password sync" option rather than the
"unix
password sync" option.

Josh Kelley

I have a brand-new Samba 3.x domain working with LDAP/FDS backend; this 
is just for my small (university) department of ~350 users.   The 
university operates an overarching Kerberos realm.  My best possible 
case would be to use that Kerberos realm for authentication/password but 
continue to maintain department LDAP for actual user/group 
authorization/rights.   If I can get everything to use people''s
existing
university password, that would be very sweet; failing that, I have to 
give out about 300 passwords in the next month :(

I see the FDS Kerberos Howto, and it seems to make Kerberos integration 
pretty simple, but what is not clear to me is whether it is possible to 
pass this Kerberos authentication through to Samba clients.  The few 
references I see to Samba-Kerberos integration modify the smb.conf with 
direct references to kerberos realm and keytab that would seem to result in:

     Samba ----> Kerberos
     _____ <---- ________

where what I think I want is more like:

     Samba ----> LDAP ----> Kerberos
     _____ <---- ____ <---- ________

(sorry for the awful ASCII!)  where I retain "passdb backend = 
ldapsam:ldap://x.x.x.x" as the user/group store, but where LDAP refers 
to Kerberos for authn/passwd.

I was going to pose this question to the Samba users list, but I thought 
there might be more value to ask first whether anyone has worked on this 
in a FDS context.  Not to say anything bad about other LDAP servers, but 
I can sometimes find it hard to map integration discussions that use 
OpenLDAP examples to my situation. 

So, anyone on the list running a completely integrated 
Samba/FDS/Kerberos setup that references an overarching Kerberos realm?

Thanks,

Jim


Richard Megginson wrote:
> Saravana Kumar wrote:
>> Hi List,
>>
>> I have FDS configured in the server. There are windows and Linux 
>> client in
>> our network. Windows users also have Linux.
>> Linux clients are authenticating to fds. Samba server is running in a
>> different server and refers to the fds server(ldapbackend). For 
>> windows i
>> had to create a separate password with smbpasswd -a username for each 
>> user
>> which means samba password can be different from Linux password. Also 
>> the
>> password policy doesn''t apply to the smbpasswd i create.
>>
>> Is there a way to use one password for both windows and linux logins?
>>   
> No.  This has been on our wishlist for some time now.
> http://directory.fedora.redhat.com/wiki/Wishlist#Passwords
>> TIA,
>> SK
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>