MIT kerberos vs heimdal

Jan Rękorajski baggins at pld-linux.org
Sun Feb 8 11:36:42 CET 2015 

On Sat, 07 Feb 2015, Tomasz Pala wrote:

> On Sat, Feb 07, 2015 at 18:44:48 +0100, Jan Rękorajski wrote:
> 
> >> Oh, and I've just found this thread:
> >> http://www.openldap.org/lists/openldap-technical/201402/msg00197.html
> >> pointing to https://github.com/opinsys/smbkrb5pwd
> > 
> > Wow, 10 years after Heimdal?
> 
> Kerberos was designed for authentication, not directory services, so you
> shouldn't 'wow' this feature - blame samba for being such a lame AD
> replacement. I see no point in keeping credentials in LDAP, this is
> IMHO against both LDAP (permit reading everything by default, needs some
> fancy ACLs to restrict public information) and KDC (credentials should
> not leave ticket granting system in ANY way). Or blame AD for being such
> a misdesign, dunno - KDC and LDAP should not ever talk to each other
> (with one obvious exception - authenticating user for LDAP access itself).
> Or ...why don't you blame OpenLDAP for missing MIT-updater? It's weird,
> that every LDAP-related solution is flawned - you can't have HTTP digest
> auth with LDAP, because LDAP userPassword would need to be plaintext?
> Wrong, apache could store the same data as htdigest stores and fetch
> them using his own user (with ACLs protecting this attribute the same
> way as userPassword is, and some overlay to update when main user
> password changes). After all, there is squild-ldap auth helper (https
> proxy is relatively new solution, doing basic http auth without SSL is
> not an option). Authenticating user upon successful LDAP bind is
> ridiculous (ok, there is authorization using search, still lame).
> Seems to me that entire LDAP business is a kludge...
> 
> Nevermind, there is smbkrb5pwd '10 years after Heimdal' so we might get
> back to MIT '3 years after last Heimdal release', don't we?

Don't forget about LDAP backend. You don't like it, MIT folks were
making the same arguments as you just now (separate auth and acct),
but they got real and finally added that backend.

> > And it still looks like it needs some hackery.
> 
> Elaborate please - I've seen many documents on integrating heimdal with
> LDAP and it was all one big hackery, what's the difference with above?

The links you sent looked like some proud story about hacking the world
of MIT krb5 to work with ldap/samba. Maybe I misread it.

> > But that's not the point, you missed the most important issue (system
> > MIT makes samba4 useless):
> 
> Elaborate please - I see all the parts in the same places in both
> systems. What exactly is missing?

APIs and ABIs in Heimdal and MIT are different. Samba uses Heimdal to do
AD DC kerberos. It does not build with MIT. Fedora distributes samba4
without Kerberos, makeing it effectively a samba3 PDC. The whole point
of samba4 is it being full fledged MS AD DC. Is that explanation clear enough?

> >> > and that's crucial now Samba is a real AD server. Just read README.dc
> >> > from Fedora's samba package, it's so pathetic it still makes me
> >> > laugh my ass off.
> >> >
> >> > That were the reasons we switched to Heimdal.
> 
> Wasn't that the reason THEY have created FreeIPA for AD?

Who are THEY?

-- 
Jan Rękorajski                    | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/

More information about the pld-devel-en mailing list