Re: Kerberos attributes with ldap/samba for a heimdal backend

[Love Hörnquist Åstrand <lha@kth.se>]

"James F. Hranicky" <jfh@cise.ufl.edu> writes:

> In working on the unified samba/heimdal/openldap account DB, I've run 
> across the following. If my users have only the following objectClass
> definitions:
>
>     objectClass: inetOrgPerson
>     objectClass: sambaSamAccount
>     objectClass: posixAccount
>
> along with the typical samba/posix attributes, I find that I can't
> set any kerberos-specific attributes:

If its a samba entry, all samba attributes are translated to kerberos
ekvivalent, but on writing back en entry, they are not modifed. I guess
that could be imporoved.

> If I add the following attributes to the LDAP entry:
>
>     objectClass: krb5Principal
>     objectClass: krb5KDCEntry
>     krb5PrincipalName: jfh@CISE.UFL.EDU
>     krb5KeyVersionNumber: 0
>     krb5KDCFlags: 382
>  
> I can then set krb-specific attributes, but when I change the password 
> using kadmin, I do change the Samba password, but I end up adding krb5Key
> attributes on doing so, which effectively separates the samba password 
> from the heimdal password (a change via smbpasswd gives me two different
> passwords).
>
> I believe this happens because in the function LDAP__lookup_princ()
> in hdb-ldap.c, the filter tried first is

Isn't the problem that samba changes the smb password but not the krb5Key
entry, so if you want to keep them in sync, make sure you only have arcfour
enctypes (or disallow smbpasswd).

> Would it cause problems if the filters were switched so that if
> the sambaSamAccount objectClass exists it's treated as a samba
> entry instead of the other way around?

The filters are just for finding the entry, all attributes are
extracted. The entry is later probed and treated like samba and/or heimdal
entry.

Love

PGP signature