Date: Fri, 13 Jun 2008 11:48:50 -0700
From: Scott Grizzard <scott(a)scottgrizzard.com>
With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's
contrib directory) to sync heimdal keys, openldap passwords (it actually
points the openldap password to the heimdal key), and sambaLA and
sambaNT hashes. Then, if you configure your client services to change
passwords using ldappasswd, you can avoid the long chain of custom
scripts to keep everything in sync.
Right. (I figure you weren't explaining that to me, since I wrote all that code.)
If there is something similar for MIT Kerberos and FDS, I would be
That'd probably be a premature move. The MIT code is far less stable than
Heimdal. Their library has a long history of thread safety issues, security
flaws, and crashes in threaded servers. The MIT folks may be ok on the
conceptual side, but when it comes to practical implementations they fumble
the details more often than not. There are a lot of reasons both OpenLDAP and
Samba support Heimdal.
Doesn't Samba 4 make this problem moot though?
As far as I know Samba 4 handles password synchronization from the SMB side,
but you still want to have synchronization for ldappasswd and such.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/