[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patch to prevent krb5Key attrs in Samba LDAP entries



On Wed, 2005-05-18 at 22:38 -0400, James F. Hranicky wrote:
> On Thu, 19 May 2005 11:16:49 +1000
> Andrew Bartlett <abartlet@samba.org> wrote:
> 
> > > 	- removes the need for the smbk5pwd overlay for Heimdal/Samba
> > > 	  syncing
> > 
> > I still think this is the best way forward, but I know it isn't easy
> > changing details on the LDAP server side of things (which is why I have
> > not been able to run that overlay).
> 
> Sorry, I'm not sure I get your meaning -- you like the idea of using
> the overlay? Could you elaborate on why?

Yes, I think the overlay is a good idea, because it is better to have
all the different enc types set, if possible.  Even if you don't like
the old DES types (and while we may not like them, many systems don't
know better), this would allow support of the new AES types.

> > > 	- prevents the unnecessary addition of the krb5EncryptionType
> > > 	  attribute
> > > 
> > > This probably isn't the best way to handle this as there's no configuration
> > > option, so I'd appreciate any comments on this issue.
> > 
> > I think the last point is the key issue here.  A patch that I think
> > would make more sense is one that uses the presence of an existing
> > krb5key attribute to determine if it should be updated.

Naturally, this would also require the presence of a sambaSamAccount on
the entry, otherwise you could never set a key on an entry without
anything.

> I could probably code it up if there's interest in getting it into
> the distribution.

I would certainly appreciate it.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part