[Samba] samba3 and heimdal: both using ldap as backends

Andreas Hasenack ahasenack at terra.com.br
Fri Mar 17 14:42:12 GMT 2006 

samba-3.0.21c, heimdal-0.7.2

The heimdal documentation[1] talks about a samba integration when both
samba and heimdal are using ldap as their backends. I quote:

"Now you can proceed as in See Using LDAP to store the database. Heimdal
will pick up the Samba LDAP entries if they are in the same search space
as the Kerberos entries."

There is absolutely no further documentation.
I tried with this tree:

dc=mycnc,dc=com
ou=People,dc=mycnc,dc=com

heimdal is configured to use ou=people (I also tried with
ou=KerberosPrincipals), where I already have some entries.

My goal is to use only one password to avoid the
sambaNTPassword/userPassword/kerberos mess (three passwords). I was
under the impression that this setup should get me that.

If I add a principal with a name that is already in ou=people as a posix
and samba account, I get this:
(...)
joao at MYCNC.COM's Password:
Verifying - joao at MYCNC.COM's Password:
kadmin: kadm5_create_principal: ldap_search_s: No such object
kadmin: adding joao: Principal or policy already exists

The ldap logs show these queries (first collumn is the number of entries returned):
1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(objectClass=krb5Principal)(krb5PrincipalName=default at MYCNC.COM))"
0 SRCH base="uid=heimdal,dc=services,dc=mycnc,dc=com" scope=2 deref=0 filter="(objectClass=krb5Principal)"
1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(objectClass=krb5Principal)(krb5PrincipalName=default at MYCNC.COM))"
0 SRCH base="uid=heimdal,dc=services,dc=mycnc,dc=com" scope=2 deref=0 filter="(objectClass=krb5Principal)"
0 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(objectClass=krb5Principal)(krb5PrincipalName=joao at MYCNC.COM))"
1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(|(objectClass=sambaSamAccount)(objectClass=account))(uid=joao))"

A few questions:
a) Why is it searching at base uid=heimdal,dc=services,dc=mycnc,dc=com? That's
the binddn after authz-regexp;

b) It found my user's entry (last search), why doesn't it add the kerberos attributes
to it? Or, better yet, what is supposed to be happening?


If I run kadmin to add an user that doesn't exist with
posixAccount/sambaSamAccount, then a krb5PrincipalEntry dn is created,
which samba doesn't see.

More information about the samba mailing list