[Samba] heimdal and windows compatibility up-to-date informations

Andrew Bartlett abartlet at samba.org
Mon Jul 21 03:45:35 GMT 2008 

On Fri, 2008-07-18 at 11:59 +0200, Guillaume Rousse wrote:
> Andrew Bartlett a écrit :
> > On Thu, 2008-07-17 at 11:18 +0200, Guillaume Rousse wrote:
> >> Hello list.
> >>
> >> Heimdal documentation still refers to Windows 2000 for Kerberos 
> >> compatibility issues. Is there anything more recent somewhere, 
> >> considering Windows 2003 and 2008, for instance ?
> >>
> >> In particular, I'm quite curious to know if, when using a ldap-backend 
> >> for heimdal, I could just copy my kerberos password attributes into the 
> >> AD server, provided I'm using compatible encryptions, and expect it to 
> >> work magically :)
> > 
> > No.
> > 
> > Perhaps we need to step back a bit - what are you trying to do?
> First, to establish a trust relationship between the two realms, as was 
> already possible with previous heimdal/windows version. But I think 
> compatibility informations given on documentation about encryption types 
> supported by Windows have to be updated, I can't think Windows 2008 
> still supports only des-cbc-crc.

There is an additional flag that you can specify to have it use
arcfour-hmac-md5 against 'MIT' realms.  The restriction on des-cbc-crc
is was only ever on trusts, user accounts were almost all
arcfour-hmac-md5, and now in 2008 also AES. 

> Second, I was looking at better way to sync users accounts between our 
> new ldap-backed heimdal kdc and our windows AD. Currently, we have an 
> automated task synchronising user entries into Windows LDAP from our 
> Unix LDAP hourly, and a password-management CGI propagating password 
> changes to both systems (using an ugly VB CGI on windows side to 
> effectively change the password). I was wondering if the password 
> handling stuff could be merged with the ldap synchronisation task, now 
> we store kerberos keys in LDAP.

Windows does not allow the password attributes to be manipulated like
that.  You could potentially read and set passwords with Samba4's
DRSUAPI synchronisation, but you can't do it with just Heimdal or just
LDAP.

> As I doubt from your answer it's not, I'm still interested about best 
> way to handle AD user accounts remotely, without local windows code 
> relay. Is there any issue directly modifying AD base through LDAP 
> connection ? My windows colleage currently prefers to dump LDIF entries, 
> and import them through a windows-specific tool. And how to set windows 
> password from perl code ? I'm currently biased toward using an external 
> smbpassword call, but maybe are they better ways.

You could certainly run Samba tools to set the user's password, if you
wanted.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20080721/d8294b8d/attachment.bin

More information about the samba mailing list