On Thu, 2005-01-20 at 20:58 -0500, Mark Roach wrote: > Hi, Andrew. > > On Fri, 2005-01-21 at 09:16 +1100, Andrew Bartlett wrote: > > Samba don't have the plaintext password, so can't do things via PAM that > > require the original plaintext. At my site, I have Heimdal Kerberos > > backed onto the same LDAP directory as Samba, so they share the > > passwords for the arcfour-hmac-md5 encryption type, and so there is no > > need for a separate Kerberos password set. > > Ahh, that makes sense. I am using heimdal, not using the ldap backend > yet though. It sounds like the method described here: > https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap > right?
That's the URL I keep pointing at. :-) > > You could also use the smbk5pwd OpenLDAP module, which will fill out the > > other Kerberos encryption types at the same time. (I'm not yet running > > this). I think this module should run with 'ldap password sync = only'. > > That seems like the ideal situation. It sounds like I'm not going to be > able to pull this off with the versions of openldap and heimdal in the > debian repositories though. Not a big deal, but not ideal for my > purposes. Perhaps I'll do some custom packaging. I'll be interested to see what you come up with, and happy to help on it. I'm looking to move my LDAP off RedHat, so I can use the Heimdal libs and this stuff :-) Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
