[Samba] heimdal and windows compatibility up-to-date informations

Guillaume Rousse Guillaume.Rousse at inria.fr
Fri Jul 18 09:59:34 GMT 2008

Andrew Bartlett a écrit :
> On Thu, 2008-07-17 at 11:18 +0200, Guillaume Rousse wrote:
>> Hello list.
>> Heimdal documentation still refers to Windows 2000 for Kerberos 
>> compatibility issues. Is there anything more recent somewhere, 
>> considering Windows 2003 and 2008, for instance ?
>> In particular, I'm quite curious to know if, when using a ldap-backend 
>> for heimdal, I could just copy my kerberos password attributes into the 
>> AD server, provided I'm using compatible encryptions, and expect it to 
>> work magically :)
> No.
> Perhaps we need to step back a bit - what are you trying to do?
First, to establish a trust relationship between the two realms, as was 
already possible with previous heimdal/windows version. But I think 
compatibility informations given on documentation about encryption types 
supported by Windows have to be updated, I can't think Windows 2008 
still supports only des-cbc-crc.

Second, I was looking at better way to sync users accounts between our 
new ldap-backed heimdal kdc and our windows AD. Currently, we have an 
automated task synchronising user entries into Windows LDAP from our 
Unix LDAP hourly, and a password-management CGI propagating password 
changes to both systems (using an ugly VB CGI on windows side to 
effectively change the password). I was wondering if the password 
handling stuff could be merged with the ldap synchronisation task, now 
we store kerberos keys in LDAP.

As I doubt from your answer it's not, I'm still interested about best 
way to handle AD user accounts remotely, without local windows code 
relay. Is there any issue directly modifying AD base through LDAP 
connection ? My windows colleage currently prefers to dump LDIF entries, 
and import them through a windows-specific tool. And how to set windows 
password from perl code ? I'm currently biased toward using an external 
smbpassword call, but maybe are they better ways.

Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62

More information about the samba mailing list