Howard Chu wrote: >> Date: Fri, 13 Jun 2008 11:48:50 -0700 >> From: Scott Grizzard <scott at scottgrizzard.com> > >> With Heimdal and OpenLDAP, you can use the smbk5pwd overlay (it's in the >> contrib directory) to sync heimdal keys, openldap passwords (it actually >> points the openldap password to the heimdal key), and sambaLA and >> sambaNT hashes. Then, if you configure your client services to change >> passwords using ldappasswd, you can avoid the long chain of custom >> scripts to keep everything in sync. > > Right. (I figure you weren't explaining that to me, since I wrote all > that code.) > >> If there is something similar for MIT Kerberos and FDS, I would be sold >> in microsecond. > > That'd probably be a premature move. The MIT code is far less stable > than Heimdal. Their library has a long history of thread safety > issues, security flaws, and crashes in threaded servers. The MIT folks > may be ok on the conceptual side, but when it comes to practical > implementations they fumble the details more often than not. There are > a lot of reasons both OpenLDAP and Samba support Heimdal. MIT is widely supported across a variety of operating systems, being the default Kerberos implementation on many of them. It has a lot of vendor support. Although the LDAP features of MIT Kerberos are relatively new, Red Hat has a lot of resources dedicated to ensuring they work well, since this is an important part of the freeIPA project. > >> Doesn't Samba 4 make this problem moot though? > > As far as I know Samba 4 handles password synchronization from the SMB > side, but you still want to have synchronization for ldappasswd and such. > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20080616/ffb9ec58/attachment.bin
