Hello! I tried to run a samba3 server as pdc for windowsXP clients with ldap backend and kerberos authentication. I stuck with these two possibilities: 1. Samba is pdc, winxp is domain-member, users are autheticated against smbpasswords within ldapsam. If the kerberos password of the korresponding principal has the same password, the users get a ticket from the kdc after windows logon. But I have two password databases: ldapsam and kerberos 2. Windows XP authenticates directly against the kdc. But Windows is then NOT member of a samba-domain, it is in a workgroup named after the kerberos-realm. So I have local organized users, no netlogon features, no roaming profiles... The only hack to get a real domain with pdc and members and just one password database that I know abaut, is the ability to sync samba passwords with linux passwords. Syncing the linux passwords in my scenario means syncing the kerberos passwords... Now my question: Can anyone tell, if I'm right with my config so far, or could it be done better? Can anyone provide me a passwd chat that enables me to sync the linux/kerberos passwords? I tried the normal passwd chat and tried to edit it, but I always run into problems. I think it's because with kerberos I have to provide the old password first, before I'm asked for the new one. This are the tested passwd chats: passwd program = /usr/bin/passwd %u ; passwd chat = *Password:* %o\n *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . passwd chat = *Password:* %o\n *"Enter new password:"* %n\n *"Enter it again:"* %n\n *"passwd: password updated successfully"* . pam password change = yes Greetz, Torsten
> This are the tested passwd chats: > > passwd program = /usr/bin/passwd %u > ; passwd chat = *Password:* %o\n *Enter\snew\sUNIX\spassword:* %n\n > *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . > passwd chat = *Password:* %o\n *"Enter new password:"* %n\n *"Enter > it again:"* %n\n *"passwd: password updated successfully"* . > pam password change = yesI don't understand why you define "pam password change" and "passwd program" with "passwd chat". You want "pam password change" or "unix password sync" with ( "passwd program" and "passwd chat" ). I have it this way: unix password sync = yes passwd program = /usr/kerberos/sbin/kadmin.local -q 'cpw %u' passwd chat = "Authenticating as principal*"\n"Enter password for principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n \n"Password for *"%u"@* changed."\n I have kdc on the same machine as samba PDC. I think there are more ways where kdc is running on another machine then samba PDC. I don't know if kerberos needs original password when it change password for user as root throught pam (but I think it needs some password). I have never used it this way. Regards, Luf
Just curious, looking at these lists for the last few days. What distros do people prefer to setup a Linux PDC? My preference is SME server 7.1 (essentially based on CENTOS I believe). Thanks Dave> -----Original Message----- > From: > samba-bounces+david.ellison=atkinsglobal.com@lists.samba.org > [mailto:samba-bounces+david.ellison=atkinsglobal.com@lists.samba.org] On Behalf Of Ludek Finstrle> Sent: 31 January 2007 14:12 > To: Torsten Becker > Cc: samba@lists.samba.org > Subject: Re: [Samba] passwd chat for samba->kerberos passwd-sync > > > This are the tested passwd chats: > > > > passwd program = /usr/bin/passwd %u > > ; passwd chat = *Password:* %o\n > *Enter\snew\sUNIX\spassword:* %n\n > > *Retype\snew\sUNIX\spassword:* %n\n > *password\supdated\ssuccessfully* . > > passwd chat = *Password:* %o\n *"Enter new password:"* > %n\n *"Enter > > it again:"* %n\n *"passwd: password updated successfully"* . > > pam password change = yes > > I don't understand why you define "pam password change" and > "passwd program" with "passwd chat". You want "pam password > change" or "unix password sync" with ( "passwd program" and > "passwd chat" ). > > I have it this way: > unix password sync = yes > passwd program = /usr/kerberos/sbin/kadmin.local -q 'cpw %u' > passwd chat = "Authenticating as principal*"\n"Enter > password for principal *"%u"*:*" %n\n \n"Re-enter password > for principal *"%u"*:*" %n\n \n"Password for *"%u"@* changed."\n > > I have kdc on the same machine as samba PDC. I think there > are more ways where kdc is running on another machine then samba PDC. > > I don't know if kerberos needs original password when it > change password for user as root throught pam (but I think it > needs some password). > I have never used it this way. > > Regards, > > Luf > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > > This message has been scanned for viruses by MailControl - > (see http://bluepages.wsatkins.co.uk/?4318150) >This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. Consider the environment. Please don't print this e-mail unless you really need to.
On 01/02/2007, at 12:23 AM, Torsten Becker wrote:> Hello! > > I tried to run a samba3 server as pdc for windowsXP clients with > ldap backend and kerberos authentication. > > I stuck with these two possibilities: > > 1. Samba is pdc, winxp is domain-member, users are autheticated > against smbpasswords within ldapsam. > If the kerberos password of the korresponding principal has the > same password, the users get a ticket from the kdc after windows > logon. > But I have two password databases: ldapsam and kerberosI currently have this setup at my place of work. The only catch is I have to use that I have to install the Mit Kerberos for Windows release in order to get the kerberos tickets from the KDC at login - and not all kerberised windows apps know about the Mit kerberos libraries for windows :( (fortunately the postgres ODBC drivers, mozilla firefox and thunderbird, and putty are so aware). Is this what you had in mind, or do you actually have a way to convince Windows XP itself to get a ticket from the KDC after login to the Samba domain? I would be very interested if you did. -- Matt Skerritt matt.skerritt@agrav.net