On Tue, Apr 02, 2013 at 02:33:52AM +0200, Mike Gabriel wrote:
> On Mo 01 Apr 2013 23:14:34 CEST Holger Levsen wrote:
> >On Montag, 1. April 2013, Mike Gabriel wrote:
> >>To make this work, Samba __has__ to call the PAM password chat in a
> >>language independent way (with LANG=C, this is handled internally by
> >>Samba). The Samba admin then has to provide a chat matching pattern.
> >>This pattern __also__ has to be in English.
> >>
> >>With the ,,passwd chat'' pattern as specified in smb.conf being in
> >>English, you can reliably parse the invoked-by-Samba PAM password
> >>chat. No matter what default locale the installed system uses.
> >>
> >>Note: This has been tested on a German D-E installation, and it works
> >>perfectly.
> >
> >Ah, thanks for explaining, makes sense now! So the user got
> >prompted in german
> >in your test-cases?! :-)
>
> Ähhh... In a way... yes. As I used a German Windows 7 to test this ;-)
>
> On the Win7 box (with domain membership in SKOLELINUX domain):
> Ctrl+Alt+Del -> ,,Kennwort ändern'' -> do the password changing
>
> => this should result in the passwords being set in:
>
> o LDAP
> o Kerberos
> o Samba (lmhash/nthash)
Don't know much about Windows OS; last version I used to some extent (at
school) was 98SE.
But I was wondering, if it wouldn't be possible to use only Kerberos and
get rid of that lm/nt stuff.
Just for testing I did this on a Wheezy combi-server using smbclient,
and it seems to work locally, output see below.
(1) Create CIFS service principal
kadmin
kadmin: addprinc -randkey cifs/tjener.intern
kadmin: ktadd -k /etc/krb5.keytab.cifs cifs/tjener.intern
kadmin: q
----------------------------
(2) Modify smb.conf
--- /etc/samba/smb-debian-edu.conf.orig 2012-06-10 14:23:02.000000000 +0200
+++ /etc/samba/smb-debian-edu.conf 2013-04-05 18:10:18.000000000 +0200
@@ -19,6 +19,7 @@
# server name
netbios name = TJENER
+ realm = INTERN
available = yes
# needed for samba 3.5.6 with XP (Svp3) clients...
server signing = disabled
@@ -35,12 +36,14 @@
# server mode
- security = USER
+ security = ADS
# security setting
null passwords = no
map to guest = Bad User
guest ok = No
+ kerberos method = dedicated keytab
+ dedicated keytab file = /etc/krb5.keytab.cifs
# server/client spnego
use spnego = yes
@@ -55,18 +58,18 @@
# should allways be set to 'true'
encrypt passwords = true
- passdb backend = ldapsam:"ldap://ldap.intern";
+ #passdb backend = ldapsam:"ldap://ldap.intern";
# divert libnss for posix users/groups lookups, rely completely on LDAP db integrity
- ldapsam:trusted = yes
+ #ldapsam:trusted = yes
- ldap suffix = dc=skole,dc=skolelinux,dc=no
+ #ldap suffix = dc=skole,dc=skolelinux,dc=no
# with GOsa, we cannot use suffices here, we have to always search starting from the BaseDN
- ldap user suffix =
- ldap group suffix =
- ldap machine suffix =
- ldap idmap suffix =
- ldap admin dn = "cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no"
- ldap ssl = start_tls
+ #ldap user suffix =
+ #ldap group suffix =
+ #ldap machine suffix =
+ #ldap idmap suffix =
+ #ldap admin dn = "cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no"
+ #ldap ssl = start_tls
add machine script = /etc/samba/smbaddclient.sh "%u"
------------------------------------------------------------
(3) Test sbm.conf and restart services
testparm
service samba restart
(4) Test locally
smbclient -k -L tjener.intern -U test
Output:
----------------------------------------------------
WARNING: The "null passwords" option is deprecated
WARNING: The "use spnego" option is deprecated
Domain=[SKOLELINUX] OS=[Unix] Server=[Samba 3.6.6]
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
IPC$ IPC IPC Service (tjener server (Debian Edu/Skolelinux Main Server))
test Disk Home directories
Domain=[SKOLELINUX] OS=[Unix] Server=[Samba 3.6.6]
Server Comment
--------- -------
TJENER tjener server (Debian Edu/Skolelinux Main Server
Workgroup Master
--------- -------
SKOLELINUX TJENER
----------------------------------------------------
Perhaps someone could test this with a real machine?
Wolfgang
Attachment:
signature.asc
Description: Digital signature