password synchronization with samba3

Christian chanlists at googlemail.com
Tue Mar 18 16:26:37 EDT 2014 

All,

thanks for all your comments. I'd like to share the results of the
subsequent research that I did. I assume below that samba3 is using the
ldap backend.

For samba3, in order to synchronize the NTLM password hash in the
sambaNTPassword attribute with the kerberos password, I see the
following options:

------- Option based on kadm5_hook -----

* add support for samba password syncing to krb5-sync. In this scenario,
krb5-sync would require additional config parameters
 - samba_ldap_base
 - samba_ldap_uri
 - samba_ldap_keytab
 - samba_ldap_admin_dn
krb5-sync would connect to samba_ldap_uri as samba_ldap_admin_dn using
the gssapi/kerberos sasl mechanism and the credentials based on
samba_ldap_keytab and then update the sambaNTPassword attribute with a
new hash to reflect the password change.

------- Options based on the ldap change password operation -----

* smbk5pwd allows syncing of samba3 and kerberos passwords if a heimdal
KDC is used with the ldap backend. smbk5pwd seems to directly modify the
samba and kerberos password hashes using ldap. Unfortunately, a heimdal
KDC with an ldap backend requires sasl minssf=0 (not a nice option),
allowing unencrypted plain text password authentication via sasl for
incoming connections.

* smbkrb5pwd provides the same functionality for MIT kerberos, but uses
kadmin to change the kerberos password. It modifies the samba password
directly in ldap.

In the two scenarios based on the ldap change password operation, things
turn bad when people start changing their passwords using kpasswd, for
example.

Do people think the additional feature for krb5-sync would be useful?
Have I overlooked any options? Best,

Christian

> Christian <chanlists at googlemail.com> writes:
> 
>> we have an odd scenario here where we would like to synchronize
>> passwords in Kerberos with a Samba3 PDC. One option I see is the
>> kadm5_hook interface, so something like krb5-sync
>> (http://www.eyrie.org/~eagle/software/krb5-sync/) targeted at syncing
>> with samba3. Is anybody aware of projects or code or other options?
> 
> I suspect that krb5-sync would just work.  The password synchronization is
> done via the kpasswd protocol, which I'm fairly sure that Samba3 supports.
>

More information about the Kerberos mailing list