Clarification regarding Samba 3.x and Heimdal integration

Vinayak Hegde hvinayak at
Mon Nov 7 11:05:45 GMT 2005

Hi Andrew,
 Now that the LDAP back-end for MIT Kerberos is almost ready, I would
like to work on the integration of Samba 3.x and MIT Kerberos.
In that respect, I have studied how Heimdal is integrated with Samba
and following is my understanding. Please correct me if anything is

======  Summary of Samba 3.x and Heimdal Integration  START =====

The integration of Samba and Heimdal with OpenLDAP as the database
back-end is mainly to use the Samba account password, if present on the
Directory Tree, by the Heimdal Kerberos.

If the object is comprising of sambaSamAccount class, it is a samba
account and if it is having a krb5KDCEntry class, then it is a Heimdal
Samba user's account will mandatorily have uid as one of the attributes
and sambaNTPassword as optinal (will have no value if smb password is
not set) attribute.

The following are the mapped attributes that Heimdal principal uses
from the samba account:
krb5PrincipalName  <-->  uid
krb5ValidEnd       <-->  sambaKickoffTime
krb5PassowrdEnd    <-->  sambaPwdMustChange
krb5Key (rc4-hmac-md5 = 23) <-->  sambaNTPassword

for eg, if uid=sambauser1, then the derived krbprincname will be
sambauser1 at REALM1.

While storing the kerberos keys in Heimdal, the following logic is
a. convert the given password to key (str2key)
b. if the entry is a samba account and the encryption type is 23
(rc4-hmac-md5), then
     b.1 convert the key to hex format
     b.2 store that hex value in sambaNTPassword attribute (Replace)
     b.3 delete the sambaLMPassword attribute value (most probably,
this is done to indicate samba code that the passwd has been changed)
     store the key into krb5Key attribute of the entry

A reverse logic is applied for reading the key from the LDAP store.

In summary, If the supported enctype is 23, then if entry is the samba
account, then use sambaNTPassword to store/get the information.

======  Summary of Samba 3.x and Heimdal Integration  END =====

I did not understand completely about "how Heimdal honours the Samba
login and account policies"? sambaKickoffTime and sambaPwdMustChange are
the only attributes that are involved?
Could you please explain me about that in more detail?


More information about the samba-technical mailing list