[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Smbk5pwd and Heimdal 0.7 not playing nice?



 I guess that's a good point, the MIT krb5 and Heimdal krb5 libs cannot
co-exist in the same executable.  Makes sense, now the question is... How do
I keep autoconf from configuring slapd to link in the krb5 libs???  I've
tried --without-kerberos, etc., no luck yet.  Why does autoconf for openldap
include kerberos libs when, as you say, slapd itself doesn't make use of
kerberos (perhaps the clients do?).  I guess that's another question for
openldap ITS...

In the meantime, I'll just let Heimdal use the samba NT hashes.  I didn't
realize that it's compatible.  What are the issues of this approach?  Aside
from not being able to set any specific krb5 settings.  Are there any
problems with the encryption type, etc?

BTW, I use the MIT krb5 clients with the Heimdal kdc, how do I disable the
stupid password expiry message when there is one set.  (Off-topic, but might
as well include it all in one breath  ;-)

[pfnguyen@ares ~]$ kinit # MIT krb5 kinit
Password for pfnguyen@GOFTI.COM:
Warning: Your password will expire in 11856 days on Mon Jan 18 19:14:07 2038
### (uh, thanks, I'll make sure to change my password on Jan 17, 2038) ###

Thanks.

> -----Original Message-----
> From: Howard Chu [mailto:hyc@highlandsun.com] 
> Sent: Tuesday, August 02, 2005 7:15 PM
> To: Perry Nguyen
> Cc: 'Love Hörnquist Åstrand'; heimdal-discuss@sics.se
> Subject: Re: Smbk5pwd and Heimdal 0.7 not playing nice?
> You cannot use two different Kerberos libraries in the same program.
> 
> As a general rule, the MIT Kerberos libraries are unsafe for use in 
> threaded programs. They are known to cause memory leaks and 
> SEGVs when 
> linked into slapd. These problems do not occur when using the Heimdal 
> libraries. The OpenLDAP project recommends against using the 
> MIT libraries.
> 
> Furthermore, slapd doesn't call any Kerberos library 
> functions itself. 
> There should be no reason for any Kerberos libraries to be directly 
> linked to slapd. The only supported use of Kerberos with slapd is 
> through the SASL GSSAPI mechanism, and that is all handled by Cyrus 
> SASL, slapd never touches any Kerberos APIs.

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.9.7/60 - Release Date: 7/28/2005