On Friday 10 October 2008 11:14:10 Guillaume Rousse wrote: > Pascal Levy a écrit : (...) > > That's sound really interesting, but I don't understand some points: > > - how do you have AD knows it can get a kerberos ticket from the heimdal > KDC ? Did you set the user userPrincipalName attribute to a principal > from heimdal managed realm ? >
there is a special attribute in AD ldap schema "altSecurityIdentities" whose can be use for this purpose. you can access it with ldap tools or, in the windows AD mmc interface by activating "advance features" and "user mapping" in the contextual menu of a user object. > - is the AD userPassword attribute ever used in this case ? > It could be if you want user be able to chose beetwen AD direct login or unix kdc authentication, but actualy here, no, it's never use and nodoby can access to it. > - what's the exact usefulness of having OpenLDAP auth redirected to SASL > mechanism ? Just for managing a single password ? We have heimdal using > openldap as backend, and use smbkrb5 overlay to keep them synced > already, so it may be useless for us. > we wanted the heimdal KDC to be the unique central repository for our users password, either for security and for synchronisation reasons. > - how do you prevent ExOP PasswdChange to rewrite userPassword attribute > with a normal value, and keep '[EMAIL PROTECTED]' instead ? > you can do this with ldap acl but we actualy at this moment manage this issue only at the interface level. We exept our users to not use ldap command line tools... > - what exact cyphers did you use to ensure compatibility between heimdal > and your AD controller ? From Heimdal documentation, we used > des3-hmac-sha1 and des-cbc-crc, but it's quite old. From previous Andrew > answer, I understand we may use arcfour-hmac-md5 as well now. > This is a issue only for the key shared by the AD and the heimdal kdc (krbtgt/[EMAIL PROTECTED]). For this one, we kept only des-cbc-crc. It was the worse headache when I started working on this. I have (since long) to write a complete documentation for all this things. for now, i only have a very partial one, about the trust between realms and user mapping. It's in french, i'm sorry for the list but i guess that it can be ok for you, and prehaps better than my vey bad english (sorry for that too). Pascal > Thanks for your input. -- Pascal Levy Ingénieur réseaux & ressources informatiques Bibliothèque InterUniversitaire Sainte Geneviève tél. : (33) 1 44 41 97 53 Bibliothèque InterUniversitaire de Langues Orientales tél. : (33) 1 44 77 95 00 [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part.
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
