[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos attributes with ldap/samba for a heimdal backend

To: "James F. Hranicky" <jfh@cise.ufl.edu>
Subject: Re: Kerberos attributes with ldap/samba for a heimdal backend
From: "James F. Hranicky" <jfh@cise.ufl.edu>
Date: Thu, 5 May 2005 11:29:19 -0400
Cc: lha@kth.se, heimdal-discuss@sics.se
In-Reply-To: <20050329115133.44924afe.jfh@cise.ufl.edu>
Organization: University of Florida CISE Department
References: <20050316000939.7e436ed9.jfh@cise.ufl.edu><amwtruofw0.fsf@nutcracker.it.su.se><20050329115133.44924afe.jfh@cise.ufl.edu>
Sender: owner-heimdal-discuss@sics.se

On Tue, 29 Mar 2005 11:51:33 -0500
"James F. Hranicky" <jfh@cise.ufl.edu> wrote:

> > Isn't the problem that samba changes the smb password but not the krb5Key
> > entry, so if you want to keep them in sync, make sure you only have arcfour
> > enctypes (or disallow smbpasswd).
> 
> Well, I may be mistaken, but I think the problem is that if the samba entry
> has kerberos LDAP attributes, LDAP__lookup_princ() will treat it as a heimdal
> entry. It first looks for

Turns out this is not the case. The problem (if you want to call it that)
was this piece of code:

    for (i = 0; i < ent->keys.len; i++) {

        if (is_samba_account
            && ent->keys.val[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {

		[ .... ]                    
        }
        else if (is_heimdal_entry) {
            unsigned char *buf;
            size_t len, buf_size;

            ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->keys.val[i], &len, ret);
            if (ret)
                goto out;
            if(buf_size != len)
                krb5_abortx(context, "internal error in ASN.1 encoder");

            /* addmod_len _owns_ the key, doesn't need to copy it */
            ret = LDAP_addmod_len(&mods, LDAP_MOD_ADD, "krb5Key", buf, len);
            if (ret)
                goto out;
        }
    }

If I comment out the "else if (is_heimdal_entry) { [ ... ] }" section, 
then I can have Kerberos attributes like krb5PrincipalName and 
krb5KDCFlags in my LDAP entries, and a password change from the heimdal 
side does not  generate krb5Key entries. In this way, samba and heimdal 
can each have their own specific attributres but still share the same key. 

Password changes from either side are thus usable by the other without 
having to use the smbk5pwd overlay in openldap.

If password history checking is added to heimdal, in this instance only the
sambaPasswordHistory field would need to be checked, which would at the 
very least keep the LDAP entries smaller than adding one or more fields 
to track the krb5Keys as well. 

In the end, it strikes me as useful to have as many attributes shared
between samba/heimdal as possible just to cut down on the need for
any kind of synchronization.

Thoughts?

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh@cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------

Prev by Date: heimdal and kaserver
Next by Date: Re: MIT -> Heimdal/LDAP/Samba
Prev by thread: Re: heimdal and kaserver
Next by thread: Re: MIT -> Heimdal/LDAP/Samba
Index(es):
- Date
- Thread