that interop mess: ldap, samba, kerberos
Dennis Davis
D.H.Davis at bath.ac.uk
Tue Nov 22 06:01:40 EST 2005
On Tue, 22 Nov 2005, Sam Hartman wrote:
> From: Sam Hartman <hartmans at mit.edu>
> To: Turbo Fredriksson <turbo at bayour.com>
> Cc: kerberos at mit.edu
> Date: Tue, 22 Nov 2005 05:38:58 -0500
> Subject: Re: that interop mess: ldap, samba, kerberos
>
> >>>>> "Turbo" == Turbo Fredriksson <turbo at bayour.com> writes:
>
> Turbo> Eh... What? From what I know, slapd don't have any means of
> Turbo> specifying a keytab so even if you create one, slapd won't
> Turbo> use it...
>
> Well, slapd may be buggy. I'd like to think that saslauthd isn't
> buggy in this way.
> Cmu folks?
saslauthd certainly isn't buggy in this way. The Zanarotti, or
screensaver, attack is avoided. We make extensive use of saslauthd
here and the KerberosV logs clearly show a ticket-granting ticket
(krbtgt/BATH.AC.UK at BATH.AC.UK) being acquired and then used to
acquire host/{hostname}@BATH.AC.UK credentials. The saslauthd code
caters for both the Heimdal and MIT Kerberos libraries.
We're also using OpenLDAP with KerberosV. That's showing the above
correct behaviour when authenticating users. I wasn't responsible
for building the servers so I'm not that familiar with the code.
But I suspect that it may well be using saslauthd.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis at bath.ac.uk Phone: +44 1225 386101
More information about the Kerberos
mailing list