[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos attributes with ldap/samba for a heimdal backend

To: Love Hörnquist Åstrand <lha@kth.se>
Subject: Re: Kerberos attributes with ldap/samba for a heimdal backend
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 28 Mar 2005 16:54:32 +1000
Cc: "James F. Hranicky" <jfh@cise.ufl.edu>, heimdal-discuss@sics.se
In-Reply-To: <amwtruofw0.fsf@nutcracker.it.su.se>
References: <20050316000939.7e436ed9.jfh@cise.ufl.edu> <amwtruofw0.fsf@nutcracker.it.su.se>
Sender: owner-heimdal-discuss@sics.se

On Sat, 2005-03-26 at 11:33 +0100, Love HÃ¶rnquist Ã…strand wrote:
> "James F. Hranicky" <jfh@cise.ufl.edu> writes:
> 
> > In working on the unified samba/heimdal/openldap account DB, I've run 
> > across the following. If my users have only the following objectClass
> > definitions:
> >
> >     objectClass: inetOrgPerson
> >     objectClass: sambaSamAccount
> >     objectClass: posixAccount
> >
> > along with the typical samba/posix attributes, I find that I can't
> > set any kerberos-specific attributes:
> 
> If its a samba entry, all samba attributes are translated to kerberos
> ekvivalent, but on writing back en entry, they are not modifed. I guess
> that could be imporoved.
> 
> > If I add the following attributes to the LDAP entry:
> >
> >     objectClass: krb5Principal
> >     objectClass: krb5KDCEntry
> >     krb5PrincipalName: jfh@CISE.UFL.EDU
> >     krb5KeyVersionNumber: 0
> >     krb5KDCFlags: 382
> >  
> > I can then set krb-specific attributes, but when I change the password 
> > using kadmin, I do change the Samba password, but I end up adding krb5Key
> > attributes on doing so, which effectively separates the samba password 
> > from the heimdal password (a change via smbpasswd gives me two different
> > passwords).
> >
> > I believe this happens because in the function LDAP__lookup_princ()
> > in hdb-ldap.c, the filter tried first is
> 
> Isn't the problem that samba changes the smb password but not the krb5Key
> entry, so if you want to keep them in sync, make sure you only have arcfour
> enctypes (or disallow smbpasswd).

The idea behind the smbk5pwd module is that Samba is told 'let the LDAP
server take care of it', and that module fills in the Heimdal
attributes.  Or you don't add the heimdal objectclass, and then
everything just reads/writes the Samba passwords (this is what I use at
Hawker, as I couldn't trivially upgrade OpenLDAP to a version that
supported the module).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part

References:
- Kerberos attributes with ldap/samba for a heimdal backend
  - From: "James F. Hranicky" <jfh@cise.ufl.edu>
- Re: Kerberos attributes with ldap/samba for a heimdal backend
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: heimdal 0.6.2 coredumps
Next by Date: Re: heimdal 0.6.2 coredumps
Prev by thread: Re: Kerberos attributes with ldap/samba for a heimdal backend
Next by thread: Re: Kerberos attributes with ldap/samba for a heimdal backend
Index(es):
- Date
- Thread