> Date: Fri, 13 Jun 2008 11:48:50 -0700 > From: Scott Grizzard <scott at scottgrizzard.com> > With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's in the > contrib directory) to sync heimdal keys, openldap passwords (it actually > points the openldap password to the heimdal key), and sambaLA and > sambaNT hashes. Then, if you configure your client services to change > passwords using ldappasswd, you can avoid the long chain of custom > scripts to keep everything in sync. Right. (I figure you weren't explaining that to me, since I wrote all that code.) > If there is something similar for MIT Kerberos and FDS, I would be sold > in microsecond. That'd probably be a premature move. The MIT code is far less stable than Heimdal. Their library has a long history of thread safety issues, security flaws, and crashes in threaded servers. The MIT folks may be ok on the conceptual side, but when it comes to practical implementations they fumble the details more often than not. There are a lot of reasons both OpenLDAP and Samba support Heimdal. > Doesn't Samba 4 make this problem moot though? As far as I know Samba 4 handles password synchronization from the SMB side, but you still want to have synchronization for ldappasswd and such. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
