|

»

»

Samba - General

heimdal and windows compatibility up-to-date informations

View: New views

4 Messages — Rating Filter: Alert me

	heimdal and windows compatibility up-to-date informations by Guillaume Rousse :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hello list. Heimdal documentation still refers to Windows 2000 for Kerberos compatibility issues. Is there anything more recent somewhere, considering Windows 2003 and 2008, for instance ? In particular, I'm quite curious to know if, when using a ldap-backend for heimdal, I could just copy my kerberos password attributes into the AD server, provided I'm using compatible encryptions, and expect it to work magically :) -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
	Re: heimdal and windows compatibility up-to-date informations by Andrew Bartlett :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, 2008-07-17 at 11:18 +0200, Guillaume Rousse wrote: > Hello list. > > Heimdal documentation still refers to Windows 2000 for Kerberos > compatibility issues. Is there anything more recent somewhere, > considering Windows 2003 and 2008, for instance ? > > In particular, I'm quite curious to know if, when using a ldap-backend > for heimdal, I could just copy my kerberos password attributes into the > AD server, provided I'm using compatible encryptions, and expect it to > work magically :) No. Perhaps we need to step back a bit - what are you trying to do? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba signature.asc (196 bytes) Download Attachment
	Re: heimdal and windows compatibility up-to-date informations by Guillaume Rousse :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Andrew Bartlett a écrit : > On Thu, 2008-07-17 at 11:18 +0200, Guillaume Rousse wrote: >> Hello list. >> >> Heimdal documentation still refers to Windows 2000 for Kerberos >> compatibility issues. Is there anything more recent somewhere, >> considering Windows 2003 and 2008, for instance ? >> >> In particular, I'm quite curious to know if, when using a ldap-backend >> for heimdal, I could just copy my kerberos password attributes into the >> AD server, provided I'm using compatible encryptions, and expect it to >> work magically :) > > No. > > Perhaps we need to step back a bit - what are you trying to do? First, to establish a trust relationship between the two realms, as was already possible with previous heimdal/windows version. But I think compatibility informations given on documentation about encryption types supported by Windows have to be updated, I can't think Windows 2008 still supports only des-cbc-crc. Second, I was looking at better way to sync users accounts between our new ldap-backed heimdal kdc and our windows AD. Currently, we have an automated task synchronising user entries into Windows LDAP from our Unix LDAP hourly, and a password-management CGI propagating password changes to both systems (using an ugly VB CGI on windows side to effectively change the password). I was wondering if the password handling stuff could be merged with the ldap synchronisation task, now we store kerberos keys in LDAP. As I doubt from your answer it's not, I'm still interested about best way to handle AD user accounts remotely, without local windows code relay. Is there any issue directly modifying AD base through LDAP connection ? My windows colleage currently prefers to dump LDIF entries, and import them through a windows-specific tool. And how to set windows password from perl code ? I'm currently biased toward using an external smbpassword call, but maybe are they better ways. Thanks. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
	Re: heimdal and windows compatibility up-to-date informations by Andrew Bartlett :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, 2008-07-18 at 11:59 +0200, Guillaume Rousse wrote: > Andrew Bartlett a écrit : > > On Thu, 2008-07-17 at 11:18 +0200, Guillaume Rousse wrote: > >> Hello list. > >> > >> Heimdal documentation still refers to Windows 2000 for Kerberos > >> compatibility issues. Is there anything more recent somewhere, > >> considering Windows 2003 and 2008, for instance ? > >> > >> In particular, I'm quite curious to know if, when using a ldap-backend > >> for heimdal, I could just copy my kerberos password attributes into the > >> AD server, provided I'm using compatible encryptions, and expect it to > >> work magically :) > > > > No. > > > > Perhaps we need to step back a bit - what are you trying to do? > First, to establish a trust relationship between the two realms, as was > already possible with previous heimdal/windows version. But I think > compatibility informations given on documentation about encryption types > supported by Windows have to be updated, I can't think Windows 2008 > still supports only des-cbc-crc. There is an additional flag that you can specify to have it use arcfour-hmac-md5 against 'MIT' realms. The restriction on des-cbc-crc is was only ever on trusts, user accounts were almost all arcfour-hmac-md5, and now in 2008 also AES. > Second, I was looking at better way to sync users accounts between our > new ldap-backed heimdal kdc and our windows AD. Currently, we have an > automated task synchronising user entries into Windows LDAP from our > Unix LDAP hourly, and a password-management CGI propagating password > changes to both systems (using an ugly VB CGI on windows side to > effectively change the password). I was wondering if the password > handling stuff could be merged with the ldap synchronisation task, now > we store kerberos keys in LDAP. Windows does not allow the password attributes to be manipulated like that. You could potentially read and set passwords with Samba4's DRSUAPI synchronisation, but you can't do it with just Heimdal or just LDAP. > As I doubt from your answer it's not, I'm still interested about best > way to handle AD user accounts remotely, without local windows code > relay. Is there any issue directly modifying AD base through LDAP > connection ? My windows colleage currently prefers to dump LDIF entries, > and import them through a windows-specific tool. And how to set windows > password from perl code ? I'm currently biased toward using an external > smbpassword call, but maybe are they better ways. You could certainly run Samba tools to set the user's password, if you wanted. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba signature.asc (196 bytes) Download Attachment

LightInTheBox - Buy quality products at wholesale price