From: Dan White (no email)
Date: Thu Nov 29 2007 - 10:16:57 EST
Dieter Kluenter wrote:
> Patrick Ben Koetter <p at state-of-mind dot de> writes:
>> * Sebastian Hagedorn <>:
>>> Hi Gary,
>>> --On 28. November 2007 19:40:22 -0600 Gary Mills <>
>>>> We have a central database that contains Unix, NTLM, and SASL
>>>> passwords, permitting single-password signons for Unix and Windows
>>>> desktops, and for Cyrus IMAP. I'd like to add Kerberos to this mix,
>>>> but only for IMAP authentications initially. This would permit
>>>> single-signon from Unix IMAP clients like mutt and pine, and
>>>> especially from a webmail application using pubcookie for
>>>> authentication. I'd like Kerberos to use the same passwords, rather
>>>> than supporting another password database. Is anybody doing this? Is
>>>> it even possible?
>>> I don't think so, but I could be wrong.
>> I've heard (!) that if the central database is LDAP one can use an OpenLDAP
>> overlay that syncronizes passwords in several services and IIRC Kerberos was
>> also mentioned. See <http://www.symas.com/introtooverlays.shtml> and look for
> This overlay is only synchronising smb and krb5 passwords if these are
> helt in the directory, for krb5 this can only be achieved with heimdal
In addition to the smbk5pwd, you may also want to check out nss_ldap:
and if using PAM, pam_ldap:
and also the ldapdb SASL auxprop plugin.
nss_ldap will allow you to store additional /etc/passwd,
/etc/group and /etc/shadow entries into LDAP.
SASL an be configured to use ldapdb to retreive and store
passwords in LDAP.
Samba and Heimdal (as mentioned above) can be configured to store
their users and principals into the same LDAP store, and the
smbk5pwd overlay will update the samba and kerberos entries when
the userPassword is changed, via an LDAP password extended operation.
Passwords can be changed via the ldappasswd command, or pam_ldap
can be configured to perform the password extended operation each
time a 'passwd' is run to change passwords.