Been trying to track down some issues with the new Subversion servers at work. They are setup to be accessed via https only, authentication provided by mod_auth_kerb. This works beautifully for doing Negotiate auth, however I’d been seeing some odd errors when it would fall back to Basic. I was seeing a bunch of replay errors logged:
krb5_verify_init_creds() failed: Request is a replay
Along with the more cryptic:
The locks could not be queried for verification against a possible "If:" header. [500, #0]
It was pretty obvious that the errors were related, however the replay message were spewing much more frequently. I enlisted the help of jorton (resident Apache guru) and we managed to fix a few other small annoyances, but got nowhere on the errors. Till yesterday. Joe forwarded me an email from the m_a_k mailing list that said to set kdc_timesync = 0. The thread has a good explanation of why this needs to be set, so go read it. 
I’ve been looking for ways to keep passwords stored in LDAP in sync, and I came across the smbk5pwd module/overlay for OpenLDAP. It only works with OpenLDAP 2.2 or later, but it takes a lot of the headache out of administration if you are storing any combination of system/Kerberos/Samba passwords in LDAP and you wanna keep em in sync.
It works using the “LDAP Password Modify Extended Operation” (RFC 3062) and just makes sure than a password change happening from one source (smbpasswd, passwd, kpasswd) gets propagated to all relevant entries. You can also replace the normal data in userPassword with {K5KEY} and any simple bind password requests will automagically get looked up directly in krb5Key instead of doing the SASL two-step (more info).
You must have OpenLDAP >= 2.2 to use smbk5pwd, and you can either download the latest 2.3 tarball, do a CVS checkout or apply this patch. You will still have to
compile the module by hand (at least on Gentoo) and manually copy the libs over to /usr/lib/openldap/openldap.
This site has some good config file examples, but I did have to change permissions on /var/heimdal/m-key to make it readable by the ldap user or slapd complained.
