pam-krb5 error when called from Samba

Russ Allbery rra at stanford.edu
Thu Sep 1 18:49:28 EDT 2011 

Andreas Ntaflos <daff at pseudoterminal.org> writes:

> Russ, thank you for your reply!

Sorry about not following up again; it looks like the mailing list ate the
list copy of the message, so it got misfiled.

> I have only recently started trying to understand how Samba setups
> (standalone or PDC) would work together with Kerberos (and LDAP) so I am
> not even sure if calling "smbpasswd -r" from a remote machine is the
> right approach. Smbpasswd prompts for the old and new passwords so it
> seems that Samba should take care of the conversation details and
> passing the authtok.

It's tricky to do that.  PAM doesn't provide any great way to do that,
other than setting the password as auth data.  It really likes you to have
a conversation function.  But it may very well do it properly; I've never
used it myself.

Usually, I would expect the application-specific password programs like
kpasswd or smbpasswd to only change the password in that specific system,
and not try to use PAM or do anything generic.

> But your last point (passwd that changes krb5 and smb passwords) sounds
> interesting. Could you perhaps hint at a PAM configuration that would
> accomplish this? I have spent all of last night reading about and
> configuring PAM and the words "requisite", "required", "optional", etc.
> are starting to blend together.

Well, the typical pam-krb5 configuration for password change is:

    password  sufficient  pam_krb5.so minimum_uid=1000
    password  required    pam_unix.so nullok obscure min=4 max=8 md5

which tries to change the Kerberos password and falls back to changing the
UNIX password if the provided password isn't the Kerberos password.  But
what you want to do is both, so something like:

    password  requisite  pam_krb5.so minimum_uid=1000
    password  required   pam_smbpass.so use_authtok use_first_pass

would normally be what you'd do.  This stacks the two modules so that both
have to succeed, and tells pam_smbpass to use the old password
(use_first_pass) and new password (use_authtok) stored in the PAM data by
pam-krb5.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list