Clarification regarding Samba 3.x and Heimdal integration

Vinayak Hegde hvinayak at
Tue Nov 8 03:16:34 GMT 2005

 thanks for the clarifications.


From: Andrew Bartlett <abartlet at>
To:Vinayak Hegde <hvinayak at>
Date: 11/07/05 4:57 pm
Subject: Re: Clarification regarding Samba 3.x and Heimdal integration
CC:<samba-technical at>, Lars Mueller <lmuelle at>
On Sun, 2005-11-06 at 22:59 -0700, Vinayak Hegde wrote:
> Hi Andrew,
>  Now that the LDAP back-end for MIT Kerberos is almost ready, I
> like to work on the integration of Samba 3.x and MIT Kerberos.
> In that respect, I have studied how Heimdal is integrated with Samba
> and following is my understanding. Please correct me if anything is
> incorrect:

This looks pretty much correct.

> ======  Summary of Samba 3.x and Heimdal Integration  START =====
> The integration of Samba and Heimdal with OpenLDAP as the database
> back-end is mainly to use the Samba account password, if present on
> Directory Tree, by the Heimdal Kerberos.
> If the object is comprising of sambaSamAccount class, it is a samba
> account and if it is having a krb5KDCEntry class, then it is a
> entry.
> Samba user's account will mandatorily have uid as one of the
> and sambaNTPassword as optinal (will have no value if smb password
> not set) attribute.
> The following are the mapped attributes that Heimdal principal uses
> from the samba account:
> krb5PrincipalName  <-->  uid
> krb5ValidEnd       <-->  sambaKickoffTime
> krb5PassowrdEnd    <-->  sambaPwdMustChange
> krb5Key (rc4-hmac-md5 = 23) <-->  sambaNTPassword
> for eg, if uid=sambauser1, then the derived krbprincname will be
> sambauser1 at REALM1.
> While storing the kerberos keys in Heimdal, the following logic is
> used:
> a. convert the given password to key (str2key)
> b. if the entry is a samba account and the encryption type is 23
> (rc4-hmac-md5), then
>      b.1 convert the key to hex format
>      b.2 store that hex value in sambaNTPassword attribute (Replace)
>      b.3 delete the sambaLMPassword attribute value (most probably,
> this is done to indicate samba code that the passwd has been

We could generate an LM hash, but it would be incorrect to leave it
alone.  With the code structure, it was easiest to delete it.

>    else
>      store the key into krb5Key attribute of the entry
> A reverse logic is applied for reading the key from the LDAP store.
> In summary, If the supported enctype is 23, then if entry is the
> account, then use sambaNTPassword to store/get the information.
> ======  Summary of Samba 3.x and Heimdal Integration  END =====
> I did not get how Heimdal honours the Samba login and account
> Which are the attributes are involved in that?
> Could you please explain me about that in more detail?

This is where things get more painful.  Basically, the Heimdal support
is incomplete.  A complete solution would do all the work that
does in the account_ok() routine.  Allowed-workstations makes no
and logon hours is dodgy for kerberos, which leaves only bad password
counts.  Heimdal isn't setup for that kind of lockout, so it was
omitted.   I am working in Samba4 to allow that kind of lockout, by
addition of further hdb hooks.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College

More information about the samba-technical mailing list