Intergrate Heimdal's hdb-ldap and Samba

Andrew Bartlett abartlet at
Sun Mar 7 00:24:11 GMT 2004

On Sun, 2004-03-07 at 10:48, Love wrote:
> Andrew Bartlett <abartlet at> writes:
> >> Shouldn't type-23 keys be stored in both entries ?
> >
> > Perhaps they should.  I'm a bit worried about storing duplicate data -
> > what do we do when they don't match.  Now, that is pretty lame, as if
> > the two representations of the type-32 key don't match, then the DES
> > keys would also be in conflict with the NT password....
> Well, at least by storing the data its possible to detect mismatch. Is
> there a password changing protocol in SMB/cifs so that data can get out of
> sync ?

There certainly is a password change protocol :-)

I would not object to storing both, and asserting that they are the same
in Heimdal.  Samba can't assert that they are the same, but the only
heimdal code that is going to be used will update the Samba passwords
anyway, so it is a non-issue.

There is some work being done to implement an OpenLDAP-side 'password
set' operation, so that both Heimdal and Samba 'set' the password with
the 'password set' extended operation, and all relevant things are

> >> The db really need to store all the data, so using something like
> >> HDBEntry2OldHDBEntry wouldn't work.
> >
> > OK.
> So, I integrated did a patch and almost that does this in a forward
> compatible maner by using ANY. It break forward compat, but should be ok in
> the future.
> But I've not tested the patch yet more then compiling it. 
> You changed the structural object class from person to account, is this
> wise ?

I certainly think it is.  Person requires the account to be a real
human, and I would claim that machines are not.  Furthermore, it matches
what Samba does.

> Dunno how to express the data for ldap. Example of data that I want to
> store in the extention structure is pkinit acl's, certificates, old keys
> (krbtgt's). I guess part of that is expresable in ldap (pkinit acl's at
> least, because that is what MS does).

People have generally found that almost anything can be shoved into
LDAP, given suffienct force ;-)

For x.509 certificates, there is a objectClass
(strongAuthenticationUser) and an attribute (userCertificate) for it

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list