[19227] in Kerberos
Re: Unify Unix and NT accounts with kerberos
daemon@ATHENA.MIT.EDU (Balazs GAL)
Sat May 10 15:01:01 2003
From: Balazs GAL <balsa@rit.bme.hu>
To: Jerome Walter <walter+SP@M.efrei.fr>
In-Reply-To: <slrnbb32t9.kb6.walter+SP@droopy.sun.efrei.fr>
Content-Type: text/plain; charset=ISO-8859-2
Message-Id: <1052593189.28266.31.camel@balcsi.vectra.startv.hu>
Mime-Version: 1.0
Date: 10 May 2003 20:59:50 +0200
Content-Transfer-Encoding: 8bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
2003-05-01, cs keltezéssel Jerome Walter ezt írta:
> Good evening everyone,
>
> I have been asked to study and implement a technology to unify accounts and
> data between NT (2000), Unix (Solaris) and GNU/Linux stations.
>
> For the moment, i think Kerberos would be the best (the only one ?) solution
> to have the same password between NT and Unix, is it true ?
Try heimdal and my heimdal_pwexport from pam-krb5.sf.net.
This will allow you to export the new user passwd to an expect script, and
with it you can change the users ntlm hash with smbpasswd.
If you use samba with ldap backend it doesnt require the kdc and samba pdc
to be on the same machine.
Sample script (provided in the cvs too):
# don't forget this line
set timeout 10
if {$princ_instance == "" && $princ_realm == "YOUR.REALM"} {
spawn -noecho /usr/bin/smbpasswd $princ_name
expect "New SMB password:"
send "$princ_password\r"
expect "Retype new SMB password:"
send "$princ_password\r"
expect {
"Password changed for user $princ_name"
{set return_value $PWEXP_SUCCES}
"Failed to find entry for user $princ_name"
{set return_value $PWEXP_USER_UNKNOWN}
default {set return_value $PWEXP_SYSTEM_ERR}
}
} else {
set return_value $PWEXP_USER_UNKNOWN
}
To syncronize the passwd's from the nt domain, use samba passwd chat option:
smb.conf:
passwd program = /usr/sbin/kadmin -p samba -K /etc/samba/samba.keytab passwd %u@YOUR.REALM
passwd chat = *%u@'YOUR.REALMs\sPassword:* %n\n *Verifying\spassword\s-\s%u@YOUR.REALM's\sPassword:* %n\n .
balsa
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
