Tag Archives: heimdal

smbk5pwd followup

I went ahead and hacked an ebuild to include the smbk5pwd overlay and submitted a bug to the Gentoo bugzilla. I don’t know how well it will be received since it screws with the Kerberos dependancies, but we shall see…

If anyone wants a more direct download it’s in my overlay, but I’m not gonna drop it in BMG since it just doesn’t seem appropriate…

Heimdal, Samba and system password sync

I’ve been looking for ways to keep passwords stored in LDAP in sync, and I came across the smbk5pwd module/overlay for OpenLDAP. It only works with OpenLDAP 2.2 or later, but it takes a lot of the headache out of administration if you are storing any combination of system/Kerberos/Samba passwords in LDAP and you wanna keep em in sync.

It works using the “LDAP Password Modify Extended Operation” (RFC 3062) and just makes sure than a password change happening from one source (smbpasswd, passwd, kpasswd) gets propagated to all relevant entries. You can also replace the normal data in userPassword with {K5KEY} and any simple bind password requests will automagically get looked up directly in krb5Key instead of doing the SASL two-step (more info).

You must have OpenLDAP >= 2.2 to use smbk5pwd, and you can either download the latest 2.3 tarball, do a CVS checkout or apply this patch. You will still have to
compile the module by hand (at least on Gentoo) and manually copy the libs over to /usr/lib/openldap/openldap.

This site has some good config file examples, but I did have to change permissions on /var/heimdal/m-key to make it readable by the ldap user or slapd complained.