MIT-kerberos versus Heimdal
the last days I spent some time on kerberos implementations namely
MIT-kerberos and Heimdal.
I set up a KDC on tjener using our LDAP as database. This is a short
summery of my experiences, if you have additional input please
To connect the KDC to the LDAP database various possibilities exist:
With MIT you can use ldaps (I suspect TLS ldap is not implemented, as
my book states, but I could not find a definitive answer in the net
quickly) and ldapi (UNIX domain socket). With Heimdal, only ldapi can
be used (which might be a good idea anyway for performance reasons).
In MIT-Kerberos, you add a subtree to LDAP which contains all
kerberos related informations:
ldap_kerberos_container_dn = cn=krbcontainer,dc=skole,dc=skolelinux,dc=no
This extra tree contains all objects needed for the KDC:
ldap_kdc_dn = cn=kdc-service,cn=krbcontainer,dc=skole,dc=skolelinux,dc=no
and for administrative tasks:
ldap_kadmind_dn = cn=kadmin-service,cn=krbcontainer,dc=skole,dc=skolelinux,dc=no
When kerberos is initialized, some more objects (=default principals)
are created, and all end up in this tree, so this is a rather nice
What happens with already existing objects in LDAP you want to make
principals of? They can stay where they are, and with the kadmin-command:
kadmin: addprinc -x dn=uid=foobar,ou=.......,dc=skolelinux,dc=no foobar
you attach kerberos attributes (krbPrincipalName: foobar@INTERN, ...)
to the object defined by its dn. So whenever a user is added to LDAP
and a script creates the corresponding home directory, the same script
may be used to add the principal.
Unfortunately, I did not find a comparable command for Heimdal.
Heimdal does not allow to split its service principals from other
principals, all ends up in the same "directory". To add the principal
attributes to an already existing object, most of the attributes have
to be added to ldap first. They are "filled" by changing the password
with kadmin. Read  (next to bottom) to get an idea how it's done.
The critical point in using kerberos is the synchronization
i.e. integration of all passwords: posix, samba and kerberos. Again,
 gives an idea how it can be done with Heimdal and smbk5pwd, an
(ldap-) overlay which will soon be in testing .
In general, I got the impression that MIT-Kerberos is kind of more
"mainstream", there is more info on the web. Heimdal's documentation
can be rather short sometimes.
To sum up: The only advantage I see for Heimdal currently might be the
use of smbk5pwd. However, if we need scripts anyway, I think it's
better to add the few lines of code necessary for synchronization and
It's strange that there is (?) no standard procedure to keep kerberos
and ldap in sync, but everybody seems to brew his own "scripty"
solution to this very general problem.