[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patch to prevent krb5Key attrs in Samba LDAP entries

To: Andrew Bartlett <abartlet@samba.org>
Subject: Re: Patch to prevent krb5Key attrs in Samba LDAP entries
From: Howard Chu <hyc@highlandsun.com>
Date: Thu, 19 May 2005 03:37:35 -0700
Cc: "James F. Hranicky" <jfh@cise.ufl.edu>, heimdal-discuss@sics.se
In-Reply-To: <1116465409.13206.17.camel@amy.samba4.abartlet.net>
References: <20050518164651.7b5cea0f.jfh@cise.ufl.edu> <1116465409.13206.17.camel@amy.samba4.abartlet.net>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050516

Andrew Bartlett wrote:
> On Wed, 2005-05-18 at 16:46 -0400, James F. Hranicky wrote:
> 
>>The following patch keeps Samba LDAP entries from being populated with
>>krb5Key LDAP attributes even if other Kerberos attributes are available.
>>
>>This accomplishes the following:
>>
>>	- ensures Heimdal and Samba share only 1 key
>>	- removes the need for the smbk5pwd overlay for Heimdal/Samba
>>	  syncing

> I still think this is the best way forward,

Agreed. Not to mention, there are also still sites that perform LDAP 
Simple Binds and other SASL secret-based mechs. Using the smbk5pwd 
overlay ensures that all of these mechs work in a unified fashion. If 
you only patch Heimdal and Samba to play with each other, you still 
haven't solved the unification problem for SASL and low-function LDAP 
clients.

> but I know it isn't easy
> changing details on the LDAP server side of things (which is why I have
> not been able to run that overlay).

Details like what, the schema definition, the ASN.1 structure of the data?

>>	- prevents the unnecessary addition of the krb5EncryptionType
>>	  attribute
>>
>>This probably isn't the best way to handle this as there's no configuration
>>option, so I'd appreciate any comments on this issue.

> I think the last point is the key issue here.  A patch that I think
> would make more sense is one that uses the presence of an existing
> krb5key attribute to determine if it should be updated.

Again, agreed.

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: Patch to prevent krb5Key attrs in Samba LDAP entries
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: Patch to prevent krb5Key attrs in Samba LDAP entries
  - From: Love Hörnquist Åstrand <lha@kth.se>
- Re: Patch to prevent krb5Key attrs in Samba LDAP entries
  - From: "James F. Hranicky" <jfh@cise.ufl.edu>

References:
- Patch to prevent krb5Key attrs in Samba LDAP entries
  - From: "James F. Hranicky" <jfh@cise.ufl.edu>
- Re: Patch to prevent krb5Key attrs in Samba LDAP entries
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: heimdal 0.6.4 ftpd crash
Next by Date: Re: Patch to prevent krb5Key attrs in Samba LDAP entries
Prev by thread: Re: Patch to prevent krb5Key attrs in Samba LDAP entries
Next by thread: Re: Patch to prevent krb5Key attrs in Samba LDAP entries
Index(es):
- Date
- Thread