[Samba] heimdal and windows compatibility up-to-date informations

Fri Oct 10 12:03:58 GMT 2008

On Friday 10 October 2008 11:14:10 Guillaume Rousse wrote:
> Pascal Levy a écrit :
(...)
>
> That's sound really interesting, but I don't understand some points:
>
> - how do you have AD knows it can get a kerberos ticket from the heimdal
> KDC ? Did you set the user userPrincipalName attribute to a principal
> from heimdal managed realm ?
>

there is a special attribute in AD ldap schema "altSecurityIdentities" whose 
can be use for this purpose. you can access it with ldap tools or, in the 
windows AD mmc interface by activating "advance features" and "user mapping" 
in the contextual menu of a user object.

> - is the AD userPassword attribute ever used in this case ?
>

It could be if you want user be able to chose beetwen AD direct login or unix 
kdc authentication, but actualy here, no, it's never use and nodoby can 
access to it.

> - what's the exact usefulness of having OpenLDAP auth redirected to SASL
> mechanism ? Just for managing a single password ? We have heimdal using
> openldap as backend, and use smbkrb5 overlay to keep them synced
> already, so it may be useless for us.
>

we wanted the heimdal KDC to be the unique central repository for our users 
password, either for security and for synchronisation reasons.

> - how do you prevent ExOP PasswdChange to rewrite userPassword attribute
> with a normal value, and keep '{sasl}principal at REALM' instead ?
>

you can do this with ldap acl but we actualy at this moment manage this issue 
only at the interface level. We exept our users to not use ldap command line 
tools...

> - what exact cyphers did you use to ensure compatibility between heimdal
> and your AD controller ? From Heimdal documentation, we used
> des3-hmac-sha1 and des-cbc-crc, but it's quite old. From previous Andrew
> answer, I understand we may use arcfour-hmac-md5 as well now.
>

This is a issue only for the key shared by the AD and the heimdal kdc 
(krbtgt/ADREALM at HEIMDALREALM). For this one, we kept only des-cbc-crc. It was 
the worse headache when I started working on this.

I have (since long) to write a complete documentation for all this things. for 
now, i only have a very partial one, about the trust between realms and user 
mapping. It's in french, i'm sorry for the list but i guess that it can be ok 
for you, and prehaps better than my vey bad english (sorry for that too).

Pascal

> Thanks for your input.

-- 
Pascal Levy
Ingénieur réseaux & ressources informatiques

Bibliothèque InterUniversitaire Sainte Geneviève
tél. : (33) 1 44 41 97 53
Bibliothèque InterUniversitaire de Langues Orientales
tél. : (33) 1 44 77 95 00

pascal.levy at univ-paris3.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.samba.org/archive/samba/attachments/20081010/2beb6bc2/attachment.bin