On Thu, 2002-11-07 at 09:20, Jonathan Higgins wrote:
> in samba v.3 there is a smb.conf directive - ldap passwd sync
>
> this provides several ldap passwd sync options on the fly including
> updating the ldap, nt, and lm passwords or just the ldap password.
> to accomplish this you can use the options: yes, no, or only
>
> Im not sure if this is the place to ask, but what if the ldap server
> is using kerberos5 as a backend to store passwords? .. maybe we could
> add an option to ldap passwd sync = kerberos and then require a few
> more parameters including the a krb5.keytab file location and the fqdn
> of the kerberos server. Then directly update the kerberos s user
> principal password at the time of syncronization? ... the users
> principal would be available from the ldap structure because its
> stored in the userPassword in the form of
> {KERBEROS}username@KERB_DOMAIN
>
> anyway.. im not a great programmer or I would try to do this..This is what 'unix password sync' and 'pam passwd sync' are about. The LDAP option really should not exist - almost the exact same effect can be had by the use of pam_ldap. However, this avoided the need to tell pam_ldap your admin dn and password, and allowed us to say 'the ldap server takes care of all that'. So, for your situation you could write a wrapper around kadmin, or PAM a module (see pam_krb5_migrate for a start) to do the job. Samba then calls that. I'm looking at fixing this another way however - using Heimdal kerberos, it's LDAP backend and teach the LDAP server how to update the kerberos passwords directly as kerberos attributes. (This tries to avoid the multiple points of failure I've been fighting at my site all this year). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
