Mike MacCana wrote:
On Tue, 2005-06-21 at 10:11 -0500, Jason L Tibbitts III wrote:A data abstraction layer (DAL) patch that does just that has been just been committed to the cvs of MIT KDC.
"AB" == Alexander Boström <abo kth se> writes:
AB> I don't know how that works but I must say I'm very sceptical, AB> mostly from a security standpoint. What's the advantage of doing AB> it that way?
A single replication infrastructure. I use the MIT KDC because it's
what Red Hat happens to ship, but I'd much rather have everything in
LDAP instead of having two separate systems to configure and maintain.
So Heimdal can use an LDAP data store? Sweet. Thanks so much for your
post.
I've wanted MIT krb5 to do this (in a non hacky way) for ages.
Can Heimdal do Kerberos over TCP, and does it support MS specific
encryption types, like MIT Kerberos does?
Quoted from heimdal.info:
Also I believe heimdal can (or will be able to) use the LDAP attribute "sambaNTPassword" as a arcfour-hmac-md5 kerberos key. I haven't tried MIT KDC+DAL (or heimdal for that matter) but I guess that the raison d'être of DAL being its possible use alongside future versions of samba, it's likely to support the same feature.Encryption types ================
Windows 2000 supports both the standard DES encryptions (des-cbc-crc and des-cbc-md5) and its own proprietary encryption that is based on MD4 and rc4 that is documented in and is supposed to be described in `draft-brezak-win2k-krb-rc4-hmac-03.txt'. New users will get both MD4 and DES keys. Users that are converted from a NT4 database, will only have MD4 passwords and will need a password change to get a DES key.
Heimdal implements both of these encryption types, but since DES is the
standard and the hmac-code is somewhat newer, it is likely to work
better.
Also is the new kernel keyring facility planned for FC5 inclusion?