Unify Unix and NT accounts with kerberos

Balazs GAL balsa at rit.bme.hu
Sat May 10 14:59:50 EDT 2003


2003-05-01, cs keltezéssel Jerome Walter ezt írta:
> Good evening everyone,
> 
> I have been asked to study and implement a technology to unify accounts and
> data between NT (2000), Unix (Solaris) and GNU/Linux stations.
> 
> For the moment, i think Kerberos would be the best (the only one ?) solution
> to have the same password between NT and Unix, is it true ?

Try heimdal and my heimdal_pwexport from pam-krb5.sf.net.
This will allow you to export the new user passwd to an expect script, and
with it you can change the users ntlm hash with smbpasswd.
If you use samba with ldap backend it doesnt require the kdc and samba pdc
to be on the same machine.

Sample script (provided in the cvs too):

# don't forget this line
set timeout 10

if {$princ_instance == "" && $princ_realm == "YOUR.REALM"} {
    spawn -noecho /usr/bin/smbpasswd $princ_name
    expect "New SMB password:"
    send "$princ_password\r"
    expect "Retype new SMB password:"
    send "$princ_password\r"
    expect {
        "Password changed for user $princ_name"
                {set return_value $PWEXP_SUCCES}
        "Failed to find entry for user $princ_name"
                {set return_value $PWEXP_USER_UNKNOWN}
        default {set return_value $PWEXP_SYSTEM_ERR}
    }
} else {
    set return_value $PWEXP_USER_UNKNOWN
}


To syncronize the passwd's from the nt domain, use samba passwd chat option:

smb.conf:

passwd program = /usr/sbin/kadmin -p samba -K /etc/samba/samba.keytab passwd %u at YOUR.REALM
passwd chat = *%u@'YOUR.REALMs\sPassword:* %n\n *Verifying\spassword\s-\s%u at YOUR.REALM's\sPassword:* %n\n .


balsa



More information about the Kerberos mailing list