On Tue, Apr 02, 2013 at 02:33:52AM +0200, Mike Gabriel wrote: > On Mo 01 Apr 2013 23:14:34 CEST Holger Levsen wrote: > >On Montag, 1. April 2013, Mike Gabriel wrote: > >>To make this work, Samba __has__ to call the PAM password chat in a > >>language independent way (with LANG=C, this is handled internally by > >>Samba). The Samba admin then has to provide a chat matching pattern. > >>This pattern __also__ has to be in English. > >> > >>With the ,,passwd chat'' pattern as specified in smb.conf being in > >>English, you can reliably parse the invoked-by-Samba PAM password > >>chat. No matter what default locale the installed system uses. > >> > >>Note: This has been tested on a German D-E installation, and it works > >>perfectly. > > > >Ah, thanks for explaining, makes sense now! So the user got > >prompted in german > >in your test-cases?! :-) > > Ähhh... In a way... yes. As I used a German Windows 7 to test this ;-) > > On the Win7 box (with domain membership in SKOLELINUX domain): > Ctrl+Alt+Del -> ,,Kennwort ändern'' -> do the password changing > > => this should result in the passwords being set in: > > o LDAP > o Kerberos > o Samba (lmhash/nthash) Don't know much about Windows OS; last version I used to some extent (at school) was 98SE. But I was wondering, if it wouldn't be possible to use only Kerberos and get rid of that lm/nt stuff. Just for testing I did this on a Wheezy combi-server using smbclient, and it seems to work locally, output see below. (1) Create CIFS service principal kadmin kadmin: addprinc -randkey cifs/tjener.intern kadmin: ktadd -k /etc/krb5.keytab.cifs cifs/tjener.intern kadmin: q ---------------------------- (2) Modify smb.conf --- /etc/samba/smb-debian-edu.conf.orig 2012-06-10 14:23:02.000000000 +0200 +++ /etc/samba/smb-debian-edu.conf 2013-04-05 18:10:18.000000000 +0200 @@ -19,6 +19,7 @@ # server name netbios name = TJENER + realm = INTERN available = yes # needed for samba 3.5.6 with XP (Svp3) clients... server signing = disabled @@ -35,12 +36,14 @@ # server mode - security = USER + security = ADS # security setting null passwords = no map to guest = Bad User guest ok = No + kerberos method = dedicated keytab + dedicated keytab file = /etc/krb5.keytab.cifs # server/client spnego use spnego = yes @@ -55,18 +58,18 @@ # should allways be set to 'true' encrypt passwords = true - passdb backend = ldapsam:"ldap://ldap.intern" + #passdb backend = ldapsam:"ldap://ldap.intern" # divert libnss for posix users/groups lookups, rely completely on LDAP db integrity - ldapsam:trusted = yes + #ldapsam:trusted = yes - ldap suffix = dc=skole,dc=skolelinux,dc=no + #ldap suffix = dc=skole,dc=skolelinux,dc=no # with GOsa, we cannot use suffices here, we have to always search starting from the BaseDN - ldap user suffix = - ldap group suffix = - ldap machine suffix = - ldap idmap suffix = - ldap admin dn = "cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" - ldap ssl = start_tls + #ldap user suffix = + #ldap group suffix = + #ldap machine suffix = + #ldap idmap suffix = + #ldap admin dn = "cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no" + #ldap ssl = start_tls add machine script = /etc/samba/smbaddclient.sh "%u" ------------------------------------------------------------ (3) Test sbm.conf and restart services testparm service samba restart (4) Test locally smbclient -k -L tjener.intern -U test Output: ---------------------------------------------------- WARNING: The "null passwords" option is deprecated WARNING: The "use spnego" option is deprecated Domain=[SKOLELINUX] OS=[Unix] Server=[Samba 3.6.6] Sharename Type Comment --------- ---- ------- netlogon Disk Network Logon Service IPC$ IPC IPC Service (tjener server (Debian Edu/Skolelinux Main Server)) test Disk Home directories Domain=[SKOLELINUX] OS=[Unix] Server=[Samba 3.6.6] Server Comment --------- ------- TJENER tjener server (Debian Edu/Skolelinux Main Server Workgroup Master --------- ------- SKOLELINUX TJENER ---------------------------------------------------- Perhaps someone could test this with a real machine? Wolfgang
Attachment:
signature.asc
Description: Digital signature