How can i integrate KERBEROS/LDAP for Windows password-hashs ?

Harry Rüter harry_rueter at gmx.de
Sun Apr 14 08:44:19 EDT 2002


Hi people,

i'm using LDAP/CYRUS-SASL/KERBEROS 
for authentification of LINUX-users in my network
(posixAccount).

I now wanna use this for sambaAccounts too, so that
the Windows-users use kerberized authentification too.


I tried something like that (an example,anonymized ..) :
(My REALM here is XY.AB)
---snipp---

dn: uid=xy,...,dc=xy,dc=xy
logonTime: 0
displayName: admin
lmPassword: {KERBEROS}admin/lmpw at XY.AB
objectClass: sambaAccount
objectClass: posixAccount
primaryGroupID: 512
acctFlags: [UX         ]
userPassword:: {KERBEROS}admin at XY.AB
uid: admin
uidNumber: 1234
cn: admi
logoffTime: 2147483647
gidNumber: 100
kickoffTime: 2147483647
pwdLastSet: 1018479812
rid: 544
homeDirectory: /home/admin
pwdCanChange: 0
pwdMustChange: 2147483647
ntPassword: {KERBEROS}admin at XY.AB

---snipp---

You see, i just tried to change the hashs for
ntPassword/lmPassword
into the kerberized schema. I made two new principals
for the Win-pw-hashs that shall hold 
the passwords in future.

This didn't work, although i used the original
hashs as password.

I think i made a mistake doing it this way, 
does anybody have any suggestions how to do it ?

I have also a problem to include kpasswd into a script,
as it isn't possible to automize the password inputs.


I tried to build a script,
here's an example for admin/lmpw at XY.AB :

---snipp---

#!/bin/sh

./kpasswd admin/lmpw  << EOF
passphrase
AAD3B435B51404EEAAD3B435B51404EE
AAD3B435B51404EEAAD3B435B51404EE
EOF

---snipp---

You see, the original hash from Windows shall be the new 
password.

But it doesn't work, as the output of it shows :

---snipp---

486dx66:/usr/local/kerberos/bin # ./mk
Password for admin/lmpw:
./kpasswd: Inappropriate ioctl for device while reading
password
486dx66:/usr/local/kerberos/bin #

---snipp---

The program doesn't accept the way i wanna fill it with
information
>from stdin, too bad.

I will work on it , because i wanna have a solution
for my network, which should be a single-signon for 
Win/LINUX-users using KERBEROS.


It would be fine if someone had time for an answer
which gives me hints how to work on.


Greetings from germany

Harry


PS: I used LDAPv3-HOWTO.html from Turbo Fredrikson 
    ( http://www.bayour.com ) as guide how to work 
    with  LDAP/KERBEROS/SASL.
    I just can recommend it to everyone.



More information about the Kerberos mailing list