Heimdal, Samba and system password sync

I’ve been looking for ways to keep passwords stored in LDAP in sync, and I came across the smbk5pwd module/overlay for OpenLDAP. It only works with OpenLDAP 2.2 or later, but it takes a lot of the headache out of administration if you are storing any combination of system/Kerberos/Samba passwords in LDAP and you wanna keep em in sync.

It works using the “LDAP Password Modify Extended Operation” (RFC 3062) and just makes sure than a password change happening from one source (smbpasswd, passwd, kpasswd) gets propagated to all relevant entries. You can also replace the normal data in userPassword with {K5KEY} and any simple bind password requests will automagically get looked up directly in krb5Key instead of doing the SASL two-step (more info).

You must have OpenLDAP >= 2.2 to use smbk5pwd, and you can either download the latest 2.3 tarball, do a CVS checkout or apply this patch. You will still have to
compile the module by hand (at least on Gentoo) and manually copy the libs over to /usr/lib/openldap/openldap.

This site has some good config file examples, but I did have to change permissions on /var/heimdal/m-key to make it readable by the ldap user or slapd complained.

5 thoughts on “Heimdal, Samba and system password sync

  1. You also have to tweak the ebuild I found out just now. –enable-overlays isn’t in the ebuild and is needed to get it working (I think, testing now, if you want feedback, lemme know)

  2. Total dissaster 😉
    My best guess is you have to compile it manually..
    start with
    ebuild openldap….ebuild unpack
    ebuild openldap….ebuild compile
    Do the smbk5pwd overlay compile.
    Copy the libs to the right directory
    ebuild openldap…..ebuild install
    ebuild openldap…..ebuild qmerge

    May be missing some steps. I got the module compiled and I also got slapd not to complain about it. But in the end, he just loaded it as a null module :/ 🙂

  3. Are you getting any error output from starting slapd from the command line (/usr/lib/openldap/slapd -d1)? Or is it not syncing the passwords correctly?

  4. Good news… the thing works 😉
    Will update gentoo-wiki accordingly

  5. Why not include an updated ebuild into bugzilla? It could have a smbk5pwd useflag and set -enable-overlays, too when this flag is set.

Leave a Reply