All, thanks for all your comments. I'd like to share the results of the subsequent research that I did. I assume below that samba3 is using the ldap backend.
For samba3, in order to synchronize the NTLM password hash in the sambaNTPassword attribute with the kerberos password, I see the following options: ------- Option based on kadm5_hook ----- * add support for samba password syncing to krb5-sync. In this scenario, krb5-sync would require additional config parameters - samba_ldap_base - samba_ldap_uri - samba_ldap_keytab - samba_ldap_admin_dn krb5-sync would connect to samba_ldap_uri as samba_ldap_admin_dn using the gssapi/kerberos sasl mechanism and the credentials based on samba_ldap_keytab and then update the sambaNTPassword attribute with a new hash to reflect the password change. ------- Options based on the ldap change password operation ----- * smbk5pwd allows syncing of samba3 and kerberos passwords if a heimdal KDC is used with the ldap backend. smbk5pwd seems to directly modify the samba and kerberos password hashes using ldap. Unfortunately, a heimdal KDC with an ldap backend requires sasl minssf=0 (not a nice option), allowing unencrypted plain text password authentication via sasl for incoming connections. * smbkrb5pwd provides the same functionality for MIT kerberos, but uses kadmin to change the kerberos password. It modifies the samba password directly in ldap. In the two scenarios based on the ldap change password operation, things turn bad when people start changing their passwords using kpasswd, for example. Do people think the additional feature for krb5-sync would be useful? Have I overlooked any options? Best, Christian > Christian <[email protected]> writes: > >> we have an odd scenario here where we would like to synchronize >> passwords in Kerberos with a Samba3 PDC. One option I see is the >> kadm5_hook interface, so something like krb5-sync >> (http://www.eyrie.org/~eagle/software/krb5-sync/) targeted at syncing >> with samba3. Is anybody aware of projects or code or other options? > > I suspect that krb5-sync would just work. The password synchronization is > done via the kpasswd protocol, which I'm fairly sure that Samba3 supports. > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
