MIT kerberos vs heimdal

Tomasz Pala gotar at polanet.pl
Sat Feb 7 23:21:26 CET 2015 

On Sat, Feb 07, 2015 at 18:44:48 +0100, Jan Rękorajski wrote:

>> Oh, and I've just found this thread:
>> http://www.openldap.org/lists/openldap-technical/201402/msg00197.html
>> pointing to https://github.com/opinsys/smbkrb5pwd
> 
> Wow, 10 years after Heimdal?

Kerberos was designed for authentication, not directory services, so you
shouldn't 'wow' this feature - blame samba for being such a lame AD
replacement. I see no point in keeping credentials in LDAP, this is
IMHO against both LDAP (permit reading everything by default, needs some
fancy ACLs to restrict public information) and KDC (credentials should
not leave ticket granting system in ANY way). Or blame AD for being such
a misdesign, dunno - KDC and LDAP should not ever talk to each other
(with one obvious exception - authenticating user for LDAP access itself).
Or ...why don't you blame OpenLDAP for missing MIT-updater? It's weird,
that every LDAP-related solution is flawned - you can't have HTTP digest
auth with LDAP, because LDAP userPassword would need to be plaintext?
Wrong, apache could store the same data as htdigest stores and fetch
them using his own user (with ACLs protecting this attribute the same
way as userPassword is, and some overlay to update when main user
password changes). After all, there is squild-ldap auth helper (https
proxy is relatively new solution, doing basic http auth without SSL is
not an option). Authenticating user upon successful LDAP bind is
ridiculous (ok, there is authorization using search, still lame).
Seems to me that entire LDAP business is a kludge...

Nevermind, there is smbkrb5pwd '10 years after Heimdal' so we might get
back to MIT '3 years after last Heimdal release', don't we?

> And it still looks like it needs some hackery.

Elaborate please - I've seen many documents on integrating heimdal with
LDAP and it was all one big hackery, what's the difference with above?

> But that's not the point, you missed the most important issue (system
> MIT makes samba4 useless):

Elaborate please - I see all the parts in the same places in both
systems. What exactly is missing?

>> > and that's crucial now Samba is a real AD server. Just read README.dc
>> > from Fedora's samba package, it's so pathetic it still makes me
>> > laugh my ass off.
>> >
>> > That were the reasons we switched to Heimdal.

Wasn't that the reason THEY have created FreeIPA for AD?

>> How can I set default and user password policy using Heimdal without
>> LDAP (I won't put passwords into public directory designed for
>> authorization not authentication)? I need plain authentication service,
>> no LDAP and no SASL involved.
> 
> Never used standalone KDC, always had LDAP backend. Try this:
> http://kerberos.996246.n3.nabble.com/Password-Quality-Checking-td10147.html

That's not a solution - is is only password strength check, not a policy;
at least password reuse and account lockout is required.

> I assume you read this:
> http://www.h5l.org/manual/HEAD/info/heimdal/Password-changing.html

Yes, ...that's why I've started digging on MIT. Or going towards LDAP
(for ppolicy), but it seems it's too hackish as well.

-- 
Tomasz Pala <gotar at pld-linux.org>

More information about the pld-devel-en mailing list