Hello, my first post here :-), For several years, I are using samba 2.0 with local backend for windows stations and servers. NIS was our used for Linux stations and servers Now, LDAP /KERBEROS is replacing NIS and Samba (with ldap backend) will replace the local backend . My questions : 1- How can I migrate information form server1 (samba 2) to server2 (samba 3) ? I read the official Samba how-to but this scenario is not covered. 2- Because Samba can not use MIT-Kerberos for password (as far as I know), I need to sync samba password with Kerberos database. When user from Windows want to change his password, samba will use a custom script (not created yet ) to also so update the Kerberos password (if you have examples they're more then welcome). But the big problem is Linux users : If they want to update they password, they use kpasswd but it will not update samba password. Is one of you manage to create a script to update both DB form command line ? I not a kerberos/samba expert but I suppose it's possible to change samba password form linux command linux and then call the kerberos kpasswd to also change this password. Then, I'll add it to all users ~/bin Thanks !! FM
Turbo Fredriksson
2005-Jan-17 08:33 UTC
[Samba] Sync password (with MIT-kerberos server) and migration
>>>>> "FM" == FM <dist-list@lexum.umontreal.ca> writes:FM> Now, LDAP /KERBEROS is replacing NIS and Samba (with ldap FM> backend) will replace the local backend . Is your LDAP server by any chance OpenLDAP? If not, my examples probably won't work... FM> 2- Because Samba can not use MIT-Kerberos for password (as far FM> as I know) Don't know if this is true, but it doesn't matter. Use userPassword: {SASL}principal@REALM then ldap will 'ask' the KDC, and samba don't have to care... FM> When user from Windows want to change his password, FM> samba will use a custom script (not created yet ) to also so FM> update the Kerberos password (if you have examples they're FM> more then welcome). With some additional tests around this, all you need is a one liner: kadmin -q "cpw -pw secret principal" FM> But the big problem is Linux users : If FM> they want to update they password, they use kpasswd but it FM> will not update samba password. As said above, using {SASL}, that doesn't matter... Please have a look at http://www.bayour.com/LDAPv3-HOWTO.html. It's old, but there should be SOMETHING in there for you... -- jihad fissionable domestic disruption smuggle Saddam Hussein munitions 767 Kennedy plutonium PLO spy assassination Ft. Bragg Ft. Meade subway [See http://www.aclu.org/echelonwatch/index.html for more about this]
Andrew Bartlett
2005-Jan-17 09:12 UTC
[Samba] Sync password (with MIT-kerberos server) and migration
On Sun, 2005-01-16 at 15:52 -0500, FM wrote:> Hello, my first post here :-), > > > For several years, I are using samba 2.0 with local backend for windows > stations and servers. > NIS was our used for Linux stations and servers > > Now, LDAP /KERBEROS is replacing NIS and Samba (with ldap backend) will > replace the local backend . > > My questions : > 1- How can I migrate information form server1 (samba 2) to server2 (samba 3) > ? I read the official Samba how-to but this scenario is not covered.Use the ldapsam_compat passdb backend, for compatability with Samba 2.2. I'm not sure about Samba 2.0 however, that's before my time...> 2- Because Samba can not use MIT-Kerberos for password (as far as I know), I > need to sync samba password with Kerberos database. When user from Windows > want to change his password, samba will use a custom script (not created yet > ) to also so update the Kerberos password (if you have examples they're more > then welcome). > But the big problem is Linux users : If they want to update they password, > they use kpasswd but it will not update samba password. > Is one of you manage to create a script to update both DB form command line > ? I not a kerberos/samba expert but I suppose it's possible to change samba > password form linux command linux and then call the kerberos kpasswd to also > change this password. Then, I'll add it to all users ~/binThe solution I use is to back Heimdal kerberos onto the Samba password backend. https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050117/d71eb596/attachment.bin