[Samba] heimdal and windows compatibility up-to-date informations
Guillaume Rousse
Guillaume.Rousse at inria.fr
Fri Jul 18 09:59:34 GMT 2008
Andrew Bartlett a écrit :
> On Thu, 2008-07-17 at 11:18 +0200, Guillaume Rousse wrote:
>> Hello list.
>>
>> Heimdal documentation still refers to Windows 2000 for Kerberos
>> compatibility issues. Is there anything more recent somewhere,
>> considering Windows 2003 and 2008, for instance ?
>>
>> In particular, I'm quite curious to know if, when using a ldap-backend
>> for heimdal, I could just copy my kerberos password attributes into the
>> AD server, provided I'm using compatible encryptions, and expect it to
>> work magically :)
>
> No.
>
> Perhaps we need to step back a bit - what are you trying to do?
First, to establish a trust relationship between the two realms, as was
already possible with previous heimdal/windows version. But I think
compatibility informations given on documentation about encryption types
supported by Windows have to be updated, I can't think Windows 2008
still supports only des-cbc-crc.
Second, I was looking at better way to sync users accounts between our
new ldap-backed heimdal kdc and our windows AD. Currently, we have an
automated task synchronising user entries into Windows LDAP from our
Unix LDAP hourly, and a password-management CGI propagating password
changes to both systems (using an ugly VB CGI on windows side to
effectively change the password). I was wondering if the password
handling stuff could be merged with the ldap synchronisation task, now
we store kerberos keys in LDAP.
As I doubt from your answer it's not, I'm still interested about best
way to handle AD user accounts remotely, without local windows code
relay. Is there any issue directly modifying AD base through LDAP
connection ? My windows colleage currently prefers to dump LDIF entries,
and import them through a windows-specific tool. And how to set windows
password from perl code ? I'm currently biased toward using an external
smbpassword call, but maybe are they better ways.
Thanks.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
More information about the samba
mailing list