Russ, thank you for your reply! On 2011-08-30 05:39, Russ Allbery wrote: > "Conversation error" means that when pam-krb5 tried to prompt for the > password, it was unable to do so, usually because the application didn't > provide a conversation callback. How does smbpasswd -r provide the > password to PAM? You may need a custom PAM configuration for it that uses > the PAM options use_first_pass and use_authtok, so that the PAM module > will read the password from the stored PAM state rather than trying to > prompt for it. However....
I have only recently started trying to understand how Samba setups (standalone or PDC) would work together with Kerberos (and LDAP) so I am not even sure if calling "smbpasswd -r" from a remote machine is the right approach. Smbpasswd prompts for the old and new passwords so it seems that Samba should take care of the conversation details and passing the authtok. Now, it is very possible that I am wrong in my whole approach to this Samba/Kerberos thing. I've read what seems like hundreds of pages of documentation and mailing list archives spanning the last ten years but there doesn't seem to be a clear-cut way for integrating Samba, Kerberos and LDAP aside from using AD. >> For reference, /etc/pam.d/samba looks like this: > >> auth requisite pam_krb5.so debug >> auth optional pam_smbpass.so migrate debug >> account required pam_krb5.so debug >> password optional pam_smbpass.so nullok use_authtok try_first_pass >> debug >> password required pam_krb5.so use_authtok try_first_pass debug >> session required pam_krb5.so debug > > ...it looks like that's what you've already got. Although I'm confused, > since both pam_smbpass and pam_krb5 are configured to use a password > stored in the stack by a previous module, but there's no previous module. > *Someone* needs to be responsible for prompting for the password. The above PAM configuration is directly from the Samba documentation in [1], but maybe details have changed since those pages were last updated (in 2003). However, this configuration snippet is also packaged with libpam-smbpass so it shouldn't be too outdated, I'd think. I posted here to understand the error message pam-krb5 throws, so thank you for enlightening me :) > I'm not personally very familiar with smbpasswd -r or how it works, so I > may be missing some aspect of this. (Presumably there's some reason why > you want to use that and not just passwd configured with Samba and > Kerberos PAM modules.) I am certainly even less familiar with how smbpasswd; the -r switch makes it change the user's password on the remote machine specified and apparently works at least partially, according to the Samba logs. I also believe that this is the way a user on a Windows machine that is part of the domain the Samba PDC serves would change his password. But maybe I am completely off here. But your last point (passwd that changes krb5 and smb passwords) sounds interesting. Could you perhaps hint at a PAM configuration that would accomplish this? I have spent all of last night reading about and configuring PAM and the words "requisite", "required", "optional", etc. are starting to blend together. Thank you! Andreas [1] http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/pam.html
signature.asc
Description: OpenPGP digital signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
