[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [debian-edu-commits] r79569 - in trunk/src/debian-edu-config: debian etc/samba

Hi Holger,

On Mo 01 Apr 2013 23:14:34 CEST Holger Levsen wrote:

Hi Mike,

On Montag, 1. April 2013, Mike Gabriel wrote:
To make this work, Samba __has__ to call the PAM password chat in a
language independent way (with LANG=C, this is handled internally by
Samba). The Samba admin then has to provide a chat matching pattern.
This pattern __also__ has to be in English.

With the ,,passwd chat'' pattern as specified in smb.conf being in
English, you can reliably parse the invoked-by-Samba PAM password
chat. No matter what default locale the installed system uses.

Note: This has been tested on a German D-E installation, and it works

Ah, thanks for explaining, makes sense now! So the user got prompted in german
in your test-cases?! :-)

Ähhh... In a way... yes. As I used a German Windows 7 to test this ;-)

On the Win7 box (with domain membership in SKOLELINUX domain):
Ctrl+Alt+Del -> ,,Kennwort ändern'' -> do the password changing

=> this should result in the passwords being set in:

 o Kerberos
 o Samba (lmhash/nthash)

The 'passwd program' and the 'passwd chat' parameter in smb.conf handle the kerberos password change. The LDAP password change is handled by 'ldap passwd sync = yes' and the Samba hashes get set natively.

However, with newer Samba versions the lmhash does not get set anymore IIRC, unless you force Samba to do that. This has been deactivated by default as you can ,,reverse engineer'' the plain text passwords from lmhashes [1]. Not sure, when that change occurred in Samba upstream, IIRC somewhere between lenny and squeeze.


[1] http://wiki.debian.org/DebianEdu/HowTo/RecoverPasswords


mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


Attachment: pgp_JR26t7EV0.pgp
Description: Digitale PGP-Unterschrift

Reply to: