Heimdal, Samba and system password sync

1 minute read

I’ve been looking for ways to keep passwords stored in LDAP in sync, and I came across the smbk5pwd module/overlay for OpenLDAP. It only works with OpenLDAP 2.2 or later, but it takes a lot of the headache out of administration if you are storing any combination of system/Kerberos/Samba passwords in LDAP and you wanna keep em in sync.

It works using the “LDAP Password Modify Extended Operation” (RFC 3062) and just makes sure than a password change happening from one source (smbpasswd, passwd, kpasswd) gets propagated to all relevant entries. You can also replace the normal data in userPassword with {K5KEY} and any simple bind password requests will automagically get looked up directly in krb5Key instead of doing the SASL two-step (more info).

You must have OpenLDAP >= 2.2 to use smbk5pwd, and you can either download the latest 2.3 tarball, do a CVS checkout or apply this patch. You will still have to compile the module by hand (at least on Gentoo) and manually copy the libs over to /usr/lib/openldap/openldap.

This site has some good config file examples, but I did have to change permissions on /var/heimdal/m-key to make it readable by the ldap user or slapd complained.



Leave a Comment