[Samba] heimdal and windows compatibility up-to-date informations

Guillaume Rousse Guillaume.Rousse at inria.fr
Fri Oct 10 09:14:10 GMT 2008

Pascal Levy a écrit :
> On Wednesday 08 October 2008 12:54:48 Guillaume Rousse wrote:
>> I'm back on this old question, because I'm now really working on it.
>> Andrew Bartlett a écrit :
>>>> Second, I was looking at better way to sync users accounts between our
>>>> new ldap-backed heimdal kdc and our windows AD. Currently, we have an
>>>> automated task synchronising user entries into Windows LDAP from our
>>>> Unix LDAP hourly, and a password-management CGI propagating password
>>>> changes to both systems (using an ugly VB CGI on windows side to
>>>> effectively change the password). I was wondering if the password
>>>> handling stuff could be merged with the ldap synchronisation task, now
>>>> we store kerberos keys in LDAP.
>>> Windows does not allow the password attributes to be manipulated like
>>> that.  You could potentially read and set passwords with Samba4's
>>> DRSUAPI synchronisation, but you can't do it with just Heimdal or just
>>> LDAP.
> I don't know if this could be usefull for you but what we are doing here is to 
> keep real users passwords only in heimdal KDC.
> openldap authentication is made by using sasl mechanism with 
> {sasl}principal at REALM as userPassword chain
> AD authentication is made by using a trust relationship with heimdal KDC and a 
> mapping beetwen AD accounts and heimdal KDC principals. ldap/heimdal/AD 
> accounts are keep in sync with a perl script running each 15 min.
> AD userPassword is a (very) long random chain created by the perl script and 
> set in AD with ldap tools.
> users can change there password by using normal windows change password 
> interface. Admins can use heimdal tools to manage passwords directly on the 
> kdc.
That's sound really interesting, but I don't understand some points:

- how do you have AD knows it can get a kerberos ticket from the heimdal 
KDC ? Did you set the user userPrincipalName attribute to a principal 
from heimdal managed realm ?

- is the AD userPassword attribute ever used in this case ?

- what's the exact usefulness of having OpenLDAP auth redirected to SASL 
mechanism ? Just for managing a single password ? We have heimdal using 
openldap as backend, and use smbkrb5 overlay to keep them synced 
already, so it may be useless for us.

- how do you prevent ExOP PasswdChange to rewrite userPassword attribute 
with a normal value, and keep '{sasl}principal at REALM' instead ?

- what exact cyphers did you use to ensure compatibility between heimdal 
and your AD controller ? From Heimdal documentation, we used 
des3-hmac-sha1 and des-cbc-crc, but it's quite old. From previous Andrew 
answer, I understand we may use arcfour-hmac-md5 as well now.

Thanks for your input.
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62

More information about the samba mailing list