samba-3.0.21c, heimdal-0.7.2 The heimdal documentation[1] talks about a samba integration when both samba and heimdal are using ldap as their backends. I quote:
"Now you can proceed as in See Using LDAP to store the database. Heimdal will pick up the Samba LDAP entries if they are in the same search space as the Kerberos entries." There is absolutely no further documentation. I tried with this tree: dc=mycnc,dc=com ou=People,dc=mycnc,dc=com heimdal is configured to use ou=people (I also tried with ou=KerberosPrincipals), where I already have some entries. My goal is to use only one password to avoid the sambaNTPassword/userPassword/kerberos mess (three passwords). I was under the impression that this setup should get me that. If I add a principal with a name that is already in ou=people as a posix and samba account, I get this: (...) [EMAIL PROTECTED]'s Password: Verifying - [EMAIL PROTECTED]'s Password: kadmin: kadm5_create_principal: ldap_search_s: No such object kadmin: adding joao: Principal or policy already exists The ldap logs show these queries (first collumn is the number of entries returned): 1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(objectClass=krb5Principal)([EMAIL PROTECTED]))" 0 SRCH base="uid=heimdal,dc=services,dc=mycnc,dc=com" scope=2 deref=0 filter="(objectClass=krb5Principal)" 1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(objectClass=krb5Principal)([EMAIL PROTECTED]))" 0 SRCH base="uid=heimdal,dc=services,dc=mycnc,dc=com" scope=2 deref=0 filter="(objectClass=krb5Principal)" 0 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(objectClass=krb5Principal)([EMAIL PROTECTED]))" 1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(|(objectClass=sambaSamAccount)(objectClass=account))(uid=joao))" A few questions: a) Why is it searching at base uid=heimdal,dc=services,dc=mycnc,dc=com? That's the binddn after authz-regexp; b) It found my user's entry (last search), why doesn't it add the kerberos attributes to it? Or, better yet, what is supposed to be happening? If I run kadmin to add an user that doesn't exist with posixAccount/sambaSamAccount, then a krb5PrincipalEntry dn is created, which samba doesn't see. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba