Password Syncing to Kerberos using SFU's ssod

Douglas E. Engert deengert at anl.gov
Thu Jan 10 17:34:58 EST 2008



Colin Simpson wrote:
> I'm looking at finding a new solution to syncing password between AD and
> Kerberos. We had been using CEDAR for this and it's great but the
> passwdHK dll on windows hates it if you pass in 8 bit ascii passsword. 
> 
> So I was looking for alternatives. MS's SFU ssod looks ok but only
> supports NIS password changes (out of the box). I don't suppose anyone
> has changed ssod to support Kerberos password changes. 

No, but I did it to update OPENLDAP passwords. The trick was to have ssod
call pam_ldap. And I wrote a pam_pwsync to catch loop conditions as password
change could go both ways.

So you don't really have to change ssod, just have it call pam_krb5.
You may have to have a modified pam_krb5...

You should look using one realm, either AD or Kerberos, or look
at cross realm between the two.

(This never went into production. The project was dropped, and there
were still some issues. And I was never in favor of this approach.)


> 
> Or knows of a better password change hook in windows (and not too
> pricey). 
> 
> Thanks
> 
> Colin
> 
> 
> 
> 
> 
> This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed.  If you are not the original recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error, and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately notify the sender and delete the original.
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list