[Samba] heimdal and windows compatibility up-to-date informations

Pascal Levy pascal.levy at univ-paris3.fr
Thu Oct 9 14:29:22 GMT 2008

On Wednesday 08 October 2008 12:54:48 Guillaume Rousse wrote:
> I'm back on this old question, because I'm now really working on it.
> Andrew Bartlett a écrit :
> >> Second, I was looking at better way to sync users accounts between our
> >> new ldap-backed heimdal kdc and our windows AD. Currently, we have an
> >> automated task synchronising user entries into Windows LDAP from our
> >> Unix LDAP hourly, and a password-management CGI propagating password
> >> changes to both systems (using an ugly VB CGI on windows side to
> >> effectively change the password). I was wondering if the password
> >> handling stuff could be merged with the ldap synchronisation task, now
> >> we store kerberos keys in LDAP.
> >
> > Windows does not allow the password attributes to be manipulated like
> > that.  You could potentially read and set passwords with Samba4's
> > DRSUAPI synchronisation, but you can't do it with just Heimdal or just
> > LDAP.

I don't know if this could be usefull for you but what we are doing here is to 
keep real users passwords only in heimdal KDC.

openldap authentication is made by using sasl mechanism with 
{sasl}principal at REALM as userPassword chain
AD authentication is made by using a trust relationship with heimdal KDC and a 
mapping beetwen AD accounts and heimdal KDC principals. ldap/heimdal/AD 
accounts are keep in sync with a perl script running each 15 min.
AD userPassword is a (very) long random chain created by the perl script and 
set in AD with ldap tools.

users can change there password by using normal windows change password 
interface. Admins can use heimdal tools to manage passwords directly on the 

Pascal Levy
Ingénieur réseaux & ressources informatiques

Bibliothèque InterUniversitaire Sainte Geneviève
tél. : (33) 1 44 41 97 53
Bibliothèque InterUniversitaire de Langues Orientales
tél. : (33) 1 44 77 95 00

pascal.levy at univ-paris3.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba/attachments/20081009/24f57eca/attachment.bin

More information about the samba mailing list