Documentation is available at: https://github.com/opinsys/smbkrb5pwd/wiki

OVERVIEW

smbkrb5pwd is an OpenLDAP (slapd) overlay to change LDAP, Samba and MIT Kerberos passwords at the same time. It intercepts the LDAP PasswordModify Extended Operations and changes all the passwords. It is based on the smbk5pwd overlay that provides similar functionality for Heimdal kerberos.

The makefile creates two different versions of the overlay - smbkrb5pwd and smbkrb5pwd_srv. smbkrb5pwd is linked against libkadm5clnt_mit and it contacts kadmind to modify the kerberos principal. This was previously the only operation mode available. When using kadmind to modify the principals, smbkrb5pwd needs a kerberos principal to manage the user principals. MIT Kerberos can use LDAP backend to store its data, but it should not be necessary.

smbkrb5pwd_srv uses libkadm5srv_mit to modify the kerberos principal and it requires that the slapd is able to read all kerberos configuration files including the kerberos stash files and ldap secrets. All file operations are done within the slapd process so there may be security considerations.

When LDAP password is changed, the overlay checks whether a principal uid@REALM exists and creates it if it does not. If the principal exists, only the password is changed.

KNOWN LIMITATIONS

• Because of locking issues, kerberos data cannot be stored in same objects as users
• Principals are always named uid@REALM and cannot be changed
• If uid in LDAP is changed, the old kerberos principal is not deleted automatically
• If LDAP user is deleted, the kerberos principal is not deleted automatically

INSTALLATION

To compile the overlay the easiest way is to get the full source code for OpenLDAP and place the smbkrb5pwd directory under contrib/slapd-modules directory. After compiling OpenLDAP normally the overlay can be compiled simply by running make in the smbkrb5pwd directory.

cd contrib/slapd-modules/smbkrb5pwd make sudo cp .libs/* /usr/lib/ldap/

SLAPD CONFIGURATION

To configure the overlay, the module needs to be loaded and configured for the database.

Depending on the version to be loaded, the module name needs to be changed. The older version that contacts kadmind:

dn: cn=module{0},cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: {0}back_hdb olcModuleload: {1}smbkrb5pwd

The new mode that does not use kadmind:

dn: cn=module{0},cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/lib/ldap olcModuleload: {0}back_hdb olcModuleload: {1}smbkrb5pwd_srv

Overlay configuration is the same for both:

dn: olcOverlay={0}smbkrb5pwd,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSmbKrb5PwdConfig olcOverlay: {0}smbkrb5pwd olcSmbKrb5PwdEnable: samba olcSmbKrb5PwdEnable: krb5 olcSmbKrb5PwdMustChange: 2592012 olcSmbKrb5PwdKrb5Realm: EDU.EXAMPLE.ORG olcSmbKrb5PwdRequiredClass: posixAccount

The overlay accepts the following configuration attributes:

• olcSmbKrb5PwdEnable - samba / krb5
  • Enable samba/kerberos functionality of the module, same as olcSmbK5PwdEnable in smbk5pwd. If attribute is not set or both are set, both passwords are changed.
• olcSmbKrb5PwdMustChange - e.g. 31536000 (year), 2592000 (30 days)
  • Time in seconds before the password expires (currently affects only Samba)
• olcSmbKrb5PwdKrb5Realm - e.g. EDU.EXAMPLE.ORG
  • Kerberos realm used to create user principals
• olcSmbKrb5PwdRequiredClass - e.g. posixAccount
  • If set, the entry needs to have this object class for the kerberos principal and samba passwords to be modified

KERBEROS PRINCIPAL

smbkrb5pwd connects to kadmind using a principal found in keytab file /etc/ldap/slapd.d/openldap-krb5.keytab. The keytab is searched for principal that has name smbkrb5pwd/FQDN@REALM. Note that “hostname -f” should return fqdn. One way to achieve this is to put fqdn as the first name in /etc/hosts for the server’s ip address (here 10.11.12.13):

10.11.12.13 server.edu.example.org server

Creating the principal and exporting it to a keytab file can be done with the following commands:

kadmin.local -q "addprinc -randkey smbkrb5pwd/server.edu.example.org@EDU.EXAMPLE.ORG" kadmin.local -q "ktadd -e des-cbc-crc:normal -k /etc/ldap/slapd.d/openldap-krb5.keytab \ smbkrb5pwd/server.edu.example.org@EDU.EXAMPLE.ORG"

chown openldap.openldap /etc/ldap/slapd.d/openldap-krb5.keytab

SMBKRB5PWD_SRV FILE PERMISSIONS

smbkrb5pwd_srv needs read access to all kerberos configuration files (no write access is needed). On Debian/Ubuntu these files are:

/etc/krb5.conf /etc/krb5.secrets /etc/krb5kdc/*

TESTING

The overlay activates itself when an password change exop request is made. This can be done for example with ldappasswd command:

ldappasswd -x -D uid=admin,ou=people,dc=edu,dc=example,dc=org -W \ uid=user1,ou=people,dc=edu,dc=example,dc=org

smbkrb5pwd writes debug information to slapd’s logfile which is normally /var/log/syslog in Ubuntu.

LICENSE

smbkrb5pwd is based on smbk5pwd overlay that can be found under http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd in OpenLDAP's sources. smbkrb5pwd is licensed under The OpenLDAP Public License that is also used for smbk5pwd.

Copyright 2004-2010 The OpenLDAP Foundation. Portions Copyright 2004-2005 Howard Chu, Symas Corp. All rights reserved. Portions Copyright 2010-2013 Opinsys Oy.

Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License.

A copy of this license is available in the file LICENSE in the top-level directory of the distribution or, alternatively, at http://www.OpenLDAP.org/license.html.