[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos attributes with ldap/samba for a heimdal backend

On Sat, 2005-03-26 at 11:33 +0100, Love Hörnquist Åstrand wrote:
> "James F. Hranicky" <jfh@cise.ufl.edu> writes:
> > In working on the unified samba/heimdal/openldap account DB, I've run 
> > across the following. If my users have only the following objectClass
> > definitions:
> >
> >     objectClass: inetOrgPerson
> >     objectClass: sambaSamAccount
> >     objectClass: posixAccount
> >
> > along with the typical samba/posix attributes, I find that I can't
> > set any kerberos-specific attributes:
> If its a samba entry, all samba attributes are translated to kerberos
> ekvivalent, but on writing back en entry, they are not modifed. I guess
> that could be imporoved.
> > If I add the following attributes to the LDAP entry:
> >
> >     objectClass: krb5Principal
> >     objectClass: krb5KDCEntry
> >     krb5PrincipalName: jfh@CISE.UFL.EDU
> >     krb5KeyVersionNumber: 0
> >     krb5KDCFlags: 382
> >  
> > I can then set krb-specific attributes, but when I change the password 
> > using kadmin, I do change the Samba password, but I end up adding krb5Key
> > attributes on doing so, which effectively separates the samba password 
> > from the heimdal password (a change via smbpasswd gives me two different
> > passwords).
> >
> > I believe this happens because in the function LDAP__lookup_princ()
> > in hdb-ldap.c, the filter tried first is
> Isn't the problem that samba changes the smb password but not the krb5Key
> entry, so if you want to keep them in sync, make sure you only have arcfour
> enctypes (or disallow smbpasswd).

The idea behind the smbk5pwd module is that Samba is told 'let the LDAP
server take care of it', and that module fills in the Heimdal
attributes.  Or you don't add the heimdal objectclass, and then
everything just reads/writes the Samba passwords (this is what I use at
Hawker, as I couldn't trivially upgrade OpenLDAP to a version that
supported the module).

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part