Kerberos and LDAP password sync question

Greg Hudson ghudson at mit.edu
Wed Aug 2 01:27:48 EDT 2017


On 08/01/2017 03:14 AM, Lucas Dutra wrote:
> So, about the password sync between MIT Kerberos and LDAP, i’ve been
> reading and discovered the package smbk5pwd does this automatically, but
> this one only support Heimdal Kerberos. Anyone know if there is any better
> solution for the password sync?

There's krb5-sync, which works with MIT krb5 or Heimdal.  It's designed
to sync to Active Directory, so while it does sync passwords via LDAP,
I'm not sure it will work with just any LDAP server as the target.

https://www.eyrie.org/~eagle/software/krb5-sync/

> And just one more question, can i use a Heimdal KDC and a MIT Client
> without a compatibility problem? Or vice-versa.

For the standard Kerberos protocol and for password changes, yes.
Administrative operations (kadmin) do not use a standard protocol.  I
believe Heimdal implements limited admin protocol compatibility with MIT
krb5, but I'm not familiar with the details of that.


More information about the Kerberos mailing list