[Samba] LDAP + SASL (kerberos) password syncing

Andrew Bartlett abartlet at samba.org
Fri Jan 21 02:58:37 GMT 2005

On Thu, 2005-01-20 at 20:58 -0500, Mark Roach wrote:
> Hi, Andrew.
> On Fri, 2005-01-21 at 09:16 +1100, Andrew Bartlett wrote:
> > Samba don't have the plaintext password, so can't do things via PAM that
> > require the original plaintext.  At my site, I have Heimdal Kerberos
> > backed onto the same LDAP directory as Samba, so they share the
> > passwords for the arcfour-hmac-md5 encryption type, and so there is no
> > need for a separate Kerberos password set.  
> Ahh, that makes sense. I am using heimdal, not using the ldap backend
> yet though. It sounds like the method described here:
> https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
> right?

That's the URL I keep pointing at. :-)

> > You could also use the smbk5pwd OpenLDAP module, which will fill out the
> > other Kerberos encryption types at the same time.  (I'm not yet running
> > this).  I think this module should run with 'ldap password sync = only'.
> That seems like the ideal situation. It sounds like I'm not going to be
> able to pull this off with the versions of openldap and heimdal in the
> debian repositories though. Not a big deal, but not ideal for my
> purposes. Perhaps I'll do some custom packaging.

I'll be interested to see what you come up with, and happy to help on
it.  I'm looking to move my LDAP off RedHat, so I can use the Heimdal
libs and this stuff :-)

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20050121/55b200c8/attachment.bin

More information about the samba mailing list