Re: Kerberos attributes with ldap/samba for a heimdal backend

["James F. Hranicky" <jfh@cise.ufl.edu>]

On Sat, 26 Mar 2005 11:33:51 +0100
Love Hörnquist Åstrand <lha@kth.se> wrote:

> > In working on the unified samba/heimdal/openldap account DB, I've run 
> > across the following. If my users have only the following objectClass
> > definitions:
> >
> >     objectClass: inetOrgPerson
> >     objectClass: sambaSamAccount
> >     objectClass: posixAccount

> If its a samba entry, all samba attributes are translated to kerberos
> ekvivalent, but on writing back en entry, they are not modifed. I guess
> that could be imporoved.

In this instance, however, if it's a pure samba entry, it will not have the

	krb5KDCFlags

attribute, so I cannot set any Kerberos attributes like 'requires-pre-auth' .

> > If I add the following attributes to the LDAP entry:
> >
> >     objectClass: krb5Principal
> >     objectClass: krb5KDCEntry
> >     krb5PrincipalName: jfh@CISE.UFL.EDU
> >     krb5KeyVersionNumber: 0
> >     krb5KDCFlags: 382
> >  
> > I can then set krb-specific attributes, but when I change the password 
> > using kadmin, I do change the Samba password, but I end up adding krb5Key
> > attributes on doing so, which effectively separates the samba password 
> > from the heimdal password (a change via smbpasswd gives me two different
> > passwords).
> >
> > I believe this happens because in the function LDAP__lookup_princ()
> > in hdb-ldap.c, the filter tried first is
> 
> Isn't the problem that samba changes the smb password but not the krb5Key
> entry, so if you want to keep them in sync, make sure you only have arcfour
> enctypes (or disallow smbpasswd).

Well, I may be mistaken, but I think the problem is that if the samba entry
has kerberos LDAP attributes, LDAP__lookup_princ() will treat it as a heimdal
entry. It first looks for

    (&(objectClass=krb5Principal)(krb5PrincipalName=%s))

then if that's not found, it looks for

    (&(|(objectClass=sambaSamAccount)(objectClass=%s))(uid=%s))

In other words, it checks for kerberos LDAP attributes and treats the entry
as a kerberos entry regardless of whether it also is a samba account.

So, I was wondering if we reversed it so that if the entry has the
sambaSamAccount LDAP attribute we treat it as a samba entry and change
only the sambaNTPassword attribute rather than adding krb5Key 
attributes.

This way, we could have kerb-specific attributes like krb5KDCEntry
(so we can set Kerberos (non-LDAP) attributes like requires-pre-auth) and 
still only change sambaNTPassword when the password needs to be changed 
by any application.

> > Would it cause problems if the filters were switched so that if
> > the sambaSamAccount objectClass exists it's treated as a samba
> > entry instead of the other way around?
> 
> The filters are just for finding the entry, all attributes are
> extracted. The entry is later probed and treated like samba and/or heimdal
> entry.

Right, it's just a matter of which is checked first. If we switch the order,
samba entries will get treated as such regardless of whether they have 
kerb attributes or not (I think) by LDAP__lookup_princ() .

The only hitch is that I don't know if making this change would affect things
other than password changing as I'm not sure off the top of my head how
LDAP__lookup_princ() is used in other places.

OTOH, if we just get rid of the krb5EncryptionType LDAP attribute then it 
appears that the smbk5passwd module does a good job of keeping 
sambaNTPassword and the krb5Key entries in sync.

-- 
----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh@cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------