that interop mess: ldap, samba, kerberos

Turbo Fredriksson turbo at bayour.com
Tue Nov 22 11:30:54 EST 2005


Quoting Dennis Davis <D.H.Davis at bath.ac.uk>:

> On Tue, 22 Nov 2005, Sam Hartman wrote:
>
>> From: Sam Hartman <hartmans at mit.edu>
>> To: Turbo Fredriksson <turbo at bayour.com>
>> Cc: kerberos at mit.edu
>> Date: Tue, 22 Nov 2005 05:38:58 -0500
>> Subject: Re: that interop mess: ldap, samba, kerberos
>> 
>> >>>>> "Turbo" == Turbo Fredriksson <turbo at bayour.com> writes:
>> 
>>     Turbo> Eh... What? From what I know, slapd don't have any means of
>>     Turbo> specifying a keytab so even if you create one, slapd won't
>>     Turbo> use it...
>> 
>> Well, slapd may be buggy.  I'd like to think that saslauthd isn't
>> buggy in this way.
>> Cmu folks?
>
> saslauthd certainly isn't buggy in this way.  The Zanarotti, or
> screensaver, attack is avoided.  We make extensive use of saslauthd
> here and the KerberosV logs clearly show a ticket-granting ticket
> (krbtgt/BATH.AC.UK at BATH.AC.UK) being acquired and then used to
> acquire host/{hostname}@BATH.AC.UK credentials.  The saslauthd code
> caters for both the Heimdal and MIT Kerberos libraries.

That's not a keytab, that's a (service) principal, right!?
Two different but related things... ?

A '{host,ldap}/<FQDN>@<REALM>' (service) principal IS created and
explained in my book, so are we talking about the same thing, but
using different 'language'?

Am I missing something obvious here?

> But I suspect that it may well be using saslauthd.

If you're using {SASL}, then yes - you're using saslauthd. The old
(now unsupported/depricated) way of doing things was using {KERBEROS}.
And that used some internal magic that I'm not sure/don't remember
how exactly it worked.

>From what I know, the only way to tie OpenLDAP to kerberos is by
using '{SASL}<principal>@<REALM>' in the userPassword attribute...


More information about the Kerberos mailing list