Re: MIT-kerberos versus Heimdal

[Veli-Matti Lintu]

ma, 2010-05-03 kello 21:47 +0200, Andreas B. Mundt kirjoitti:

 The critical point in using kerberos is the synchronization
 i.e. integration of all passwords: posix, samba and kerberos. Again,
 [1] gives an idea how it can be done with Heimdal and smbk5pwd, an
 (ldap-) overlay which will soon be in testing [2]. 

 In general, I got the impression that MIT-Kerberos is kind of more
 mainstream, there is more info on the web. Heimdal's documentation
 can be rather short sometimes.
 
 To sum up: The only advantage I see for Heimdal currently might be the
 use of smbk5pwd. However, if we need scripts anyway, I think it's
 better to add the few lines of code necessary for synchronization and
 use MIT. 

 [1] http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT
 [2] http://packages.qa.debian.org/o/openldap.html

Hi,

We've been figuring out for a while what to do with this syncing problem
and we just finished smbkrb5pwd for MIT kerberos. Its implementation
differs from smbk5pwd for Heimdal, but the idea is to sync all the
passwords at once when ldap password is changed. This is the first
version and it still needs work, but if you are interested testing it,
here are instructions on how to use it:

http://www.opinsys.fi/en/smbkrb5pwd-password-syncing-for-openldap-mit-kerberos-and-samba

smbkrb5pwd does not alter the kerberos ldap entries directly, but
connects kadmind to do the work. This has pros and cons, but for us it
seems to work nicely in test environments. The testing has been done on
Ubuntu 10.04, but I cannot see why it wouldn't work in Debian also.

Veli-Matti


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1273066901.2643.13397.ca...@vm-lucid

MIT-kerberos versus Heimdal

[Andreas B. Mundt]

Hi,

the last days I spent some time on kerberos implementations namely
MIT-kerberos and Heimdal.

I set up a KDC on tjener using our LDAP as database. This is a short
summery of my experiences, if you have additional input please
comment. 

To connect the KDC to the LDAP database various possibilities exist:
With MIT you can use ldaps (I suspect TLS ldap is not implemented, as
my book states, but I could not find a definitive answer in the net
quickly) and ldapi (UNIX domain socket). With Heimdal, only ldapi can
be used (which might be a good idea anyway for performance reasons).  

In MIT-Kerberos, you add a subtree to LDAP which contains all
kerberos related informations:
 ldap_kerberos_container_dn = 
cn=krbcontainer,dc=skole,dc=skolelinux,dc=no

This extra tree contains all objects needed for the KDC:
 ldap_kdc_dn = cn=kdc-service,cn=krbcontainer,dc=skole,dc=skolelinux,dc=no

and for administrative tasks:
ldap_kadmind_dn = 
cn=kadmin-service,cn=krbcontainer,dc=skole,dc=skolelinux,dc=no  

When kerberos is initialized, some more objects (=default principals)
are created, and all end up in this tree, so this is a rather nice
setup. 
What happens with already existing objects in LDAP you want to make
principals of? They can stay where they are, and with the kadmin-command:

kadmin: addprinc -x dn=uid=foobar,ou=...,dc=skolelinux,dc=no foobar  

you attach kerberos attributes (krbPrincipalName: foo...@intern, ...)
to the object defined by its dn. So whenever a user is added to LDAP
and a script creates the corresponding home directory, the same script
may be used to add the principal. 

Unfortunately, I did not find a comparable command for Heimdal. 
Heimdal does not allow to split its service principals from other
principals, all ends up in the same directory. To add the principal
attributes to an already existing object, most of the attributes have
to be added to ldap first. They are filled by changing the password
with kadmin. Read [1] (next to bottom) to get an idea how it's done.  

The critical point in using kerberos is the synchronization
i.e. integration of all passwords: posix, samba and kerberos. Again,
[1] gives an idea how it can be done with Heimdal and smbk5pwd, an
(ldap-) overlay which will soon be in testing [2]. 

In general, I got the impression that MIT-Kerberos is kind of more
mainstream, there is more info on the web. Heimdal's documentation
can be rather short sometimes.

To sum up: The only advantage I see for Heimdal currently might be the
use of smbk5pwd. However, if we need scripts anyway, I think it's
better to add the few lines of code necessary for synchronization and
use MIT. 

It's strange that there is (?) no standard procedure to keep kerberos
and ldap in sync, but everybody seems to brew his own scripty
solution to this very general problem.

Regards,

Andi


[1] http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT
[2] http://packages.qa.debian.org/o/openldap.html


-- 
To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100503194757.ga8...@flashgordon