[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: MIT-kerberos versus Heimdal

ma, 2010-05-03 kello 21:47 +0200, Andreas B. Mundt kirjoitti:

> The critical point in using kerberos is the synchronization
> i.e. integration of all passwords: posix, samba and kerberos. Again,
> [1] gives an idea how it can be done with Heimdal and smbk5pwd, an
> (ldap-) overlay which will soon be in testing [2]. 

> In general, I got the impression that MIT-Kerberos is kind of more
> "mainstream", there is more info on the web. Heimdal's documentation
> can be rather short sometimes.
> To sum up: The only advantage I see for Heimdal currently might be the
> use of smbk5pwd. However, if we need scripts anyway, I think it's
> better to add the few lines of code necessary for synchronization and
> use MIT. 

> [1] http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT
> [2] http://packages.qa.debian.org/o/openldap.html


We've been figuring out for a while what to do with this syncing problem
and we just finished smbkrb5pwd for MIT kerberos. Its implementation
differs from smbk5pwd for Heimdal, but the idea is to sync all the
passwords at once when ldap password is changed. This is the first
version and it still needs work, but if you are interested testing it,
here are instructions on how to use it:


smbkrb5pwd does not alter the kerberos ldap entries directly, but
connects kadmind to do the work. This has pros and cons, but for us it
seems to work nicely in test environments. The testing has been done on
Ubuntu 10.04, but I cannot see why it wouldn't work in Debian also.


Reply to: