With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's in the contrib directory) to sync heimdal keys, openldap passwords (it actually points the openldap password to the heimdal key), and sambaLA and sambaNT hashes. Then, if you configure your client services to change passwords using ldappasswd, you can avoid the long chain of custom scripts to keep everything in sync. If there is something similar for MIT Kerberos and FDS, I would be sold in microsecond. Doesn't Samba 4 make this problem moot though? - Scott Howard Chu wrote: >> Date: Thu, 12 Jun 2008 21:15:49 +0200 >> From: Jan Frode Myklebust<janfrode at tanso.net> > >> I have fds set up for user management, and have kerberos set >> up for authentication, but am a bit uncertain if I'm now finished, >> or if fds+kerberos are supposed to be better integrated. >> >> Is the normal procedure for managing users: >> >> - add user info to the directory (ldapadd) >> - create user principal (addprinc username) >> >> Or can the creation of user principal be automatically created >> from within fds when we create users there ? > > If you're using Heimdal's KDC there is a much less clumsy solution - > just configure your KDC to store its information in LDAP. Then you can > include the KDC-specific attributes in your lddapadd requests, and > manage both sets of users solely through LDAP. This works very well > with OpenLDAP; I think it should also work with FDS 1.1 now that > they've integrated ldapi:// support (but haven't tried it myself). You > can then also configure OpenLDAP to automatically synchronize password > changes between LDAP and Kerberos (since all the information is in the > LDAP entry). > > I believe recent versions of MIT Kerberos also offer this possibility, > but I haven't heard of any success stories with it so far.
