[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Password hashes in Debian Edu (and migrating from pre-Squeeze installations) (Was: Bug#720396: debian-edu-config: debian-edu-config/tools/gosa-create buggy with set -e)

This question belong on debian-edu@lists.debian.org.  Moving the
thread there.

[Moritz Molle]
> say... is kerberos saving a copy of the userpasswords redundant to
> ldap, or why does krb have to be told change_password (in
> gosa-sync)?

There are unfortunately three password checking options in Debian Edu
Wheezy (and Squeeze).  The prefered one is (1) Kerberos, which uses
LDAP as its database backend to store information about principals
(aka users).  Another one is (2) Samba, which keep its own password
hashes also in LDAP.  The third one is (3 ) LDAP bind method itself,
which also store its own hashes in LDAP.

Login via GUI, ssh or cups uses Kerberos (aka PAM).  Samba access uses
the Samba hashes, and Gosa uses the LDAP bind method.

The goal is to migrate everything to Kerberos, but we have not had
time to figure out how to do this with all the services provided by
Debian Edu yet.

> i ask because that could cause a problem with my migrating
> pasaworshashes from older skole versions.

It will.  The olds hash is only usable for LDAP bind and Samba, while
login now require Kerberos info.

Happy hacking
Petter Reinholdtsen

Reply to: