[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Kerberos attributes with ldap/samba for a heimdal backend

In working on the unified samba/heimdal/openldap account DB, I've run 
across the following. If my users have only the following objectClass

    objectClass: inetOrgPerson
    objectClass: sambaSamAccount
    objectClass: posixAccount

along with the typical samba/posix attributes, I find that I can't
set any kerberos-specific attributes:

                Principal: user@CISE.UFL.EDU
        Principal expires: 2038-01-19 03:14:07 UTC
         Password expires: 2038-01-19 03:14:07 UTC
     Last password change: never
          Max ticket life: unlimited
       Max renewable life: unlimited
                     Kvno: 0
                    Mkvno: 0
    Last successful login: never
        Last failed login: never
       Failed login count: 0
            Last modified: 2005-03-15 21:30:43 UTC
                 Modifier: unknown
*--->          Attributes: disallow-svr, disallow-proxiable, 
                           disallow-renewable, disallow-postdated
                 Keytypes: arcfour-hmac-md5(pw-salt)

due to the lack of the krb5KDCFlags LDAP attribute.

If I add the following attributes to the LDAP entry:

    objectClass: krb5Principal
    objectClass: krb5KDCEntry
    krb5PrincipalName: jfh@CISE.UFL.EDU
    krb5KeyVersionNumber: 0
    krb5KDCFlags: 382
I can then set krb-specific attributes, but when I change the password 
using kadmin, I do change the Samba password, but I end up adding krb5Key
attributes on doing so, which effectively separates the samba password 
from the heimdal password (a change via smbpasswd gives me two different

I believe this happens because in the function LDAP__lookup_princ()
in hdb-ldap.c, the filter tried first is


and only if this fails is 



Would it cause problems if the filters were switched so that if
the sambaSamAccount objectClass exists it's treated as a samba
entry instead of the other way around?

| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh@cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |