MIT kerberos vs heimdal
Jan Rękorajski
baggins at pld-linux.org
Sat Feb 7 18:44:48 CET 2015
On Sat, 07 Feb 2015, Tomasz Pala wrote:
> On Sat, Feb 07, 2015 at 17:38:39 +0100, Jan Rękorajski wrote:
>
> > That was old reason, last time I checked MIT did not have LDAP
> > and Samba support. Also no Samba flavor ever built with MIT,
>
> It still doesn't have smbk5pwd if that is what you meant, but honestly I don't
> understand what is this all about (I don't use AD). Well, more than
> written here: https://lists.debian.org/debian-edu/2010/05/msg00019.html
> But there is LDAP backend:
> http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_ldap.html
>
> Oh, and I've just found this thread:
> http://www.openldap.org/lists/openldap-technical/201402/msg00197.html
> pointing to https://github.com/opinsys/smbkrb5pwd
Wow, 10 years after Heimdal? And it still looks like it needs some hackery.
But that's not the point, you missed the most important issue (system
MIT makes samba4 useless):
> > and that's crucial now Samba is a real AD server. Just read README.dc
> > from Fedora's samba package, it's so pathetic it still makes me
> > laugh my ass off.
> >
> > That were the reasons we switched to Heimdal.
> How can I set default and user password policy using Heimdal without
> LDAP (I won't put passwords into public directory designed for
> authorization not authentication)? I need plain authentication service,
> no LDAP and no SASL involved.
Never used standalone KDC, always had LDAP backend. Try this:
http://kerberos.996246.n3.nabble.com/Password-Quality-Checking-td10147.html
I assume you read this:
http://www.h5l.org/manual/HEAD/info/heimdal/Password-changing.html
--
Jan Rękorajski | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/
More information about the pld-devel-en
mailing list