[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Kerberos attributes with ldap/samba for a heimdal backend

To: heimdal-discuss@sics.se
Subject: Kerberos attributes with ldap/samba for a heimdal backend
From: "James F. Hranicky" <jfh@cise.ufl.edu>
Date: Wed, 16 Mar 2005 00:09:39 -0500
Organization: University of Florida CISE Department
Sender: owner-heimdal-discuss@sics.se

In working on the unified samba/heimdal/openldap account DB, I've run 
across the following. If my users have only the following objectClass
definitions:

    objectClass: inetOrgPerson
    objectClass: sambaSamAccount
    objectClass: posixAccount

along with the typical samba/posix attributes, I find that I can't
set any kerberos-specific attributes:


                Principal: user@CISE.UFL.EDU
        Principal expires: 2038-01-19 03:14:07 UTC
         Password expires: 2038-01-19 03:14:07 UTC
     Last password change: never
          Max ticket life: unlimited
       Max renewable life: unlimited
                     Kvno: 0
                    Mkvno: 0
    Last successful login: never
        Last failed login: never
       Failed login count: 0
            Last modified: 2005-03-15 21:30:43 UTC
                 Modifier: unknown
*--->          Attributes: disallow-svr, disallow-proxiable, 
                           disallow-renewable, disallow-postdated
                 Keytypes: arcfour-hmac-md5(pw-salt)

due to the lack of the krb5KDCFlags LDAP attribute.

If I add the following attributes to the LDAP entry:

    objectClass: krb5Principal
    objectClass: krb5KDCEntry
    krb5PrincipalName: jfh@CISE.UFL.EDU
    krb5KeyVersionNumber: 0
    krb5KDCFlags: 382
 
I can then set krb-specific attributes, but when I change the password 
using kadmin, I do change the Samba password, but I end up adding krb5Key
attributes on doing so, which effectively separates the samba password 
from the heimdal password (a change via smbpasswd gives me two different
passwords).

I believe this happens because in the function LDAP__lookup_princ()
in hdb-ldap.c, the filter tried first is

    (&(objectClass=krb5Principal)(krb5PrincipalName=%s))

and only if this fails is 

    (&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))

tried.

Would it cause problems if the filters were switched so that if
the sambaSamAccount objectClass exists it's treated as a samba
entry instead of the other way around?

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh@cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------

Follow-Ups:
- Re: Kerberos attributes with ldap/samba for a heimdal backend
  - From: Adam Tauno Williams <adam@morrison-ind.com>
- Re: Kerberos attributes with ldap/samba for a heimdal backend
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: Extract Keytab permissions
Next by Date: Re: Kerberos attributes with ldap/samba for a heimdal backend
Prev by thread: DON'T DELETE B4 READING!!!
Next by thread: Re: Kerberos attributes with ldap/samba for a heimdal backend
Index(es):
- Date
- Thread