[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos attributes with ldap/samba for a heimdal backend

> If I add the following attributes to the LDAP entry:
>     objectClass: krb5Principal
>     objectClass: krb5KDCEntry
>     krb5PrincipalName: jfh@CISE.UFL.EDU
>     krb5KeyVersionNumber: 0
>     krb5KDCFlags: 382
> I can then set krb-specific attributes, but when I change the password 
> using kadmin, I do change the Samba password, but I end up adding krb5Key
> attributes on doing so, which effectively separates the samba password 
> from the heimdal password (a change via smbpasswd gives me two different
> passwords).

I think the correct solution is to load the smbk5pwd module into the DSA, change
the Samba LDAP passwd sync option to "only", and to change passwords via the
extended operation (using normal passwd and properly configured pam ldap.conf).