Add support for the smbk5pwd overlay

I would also like to vote for this, perhaps a slapd-smbk5overlay in multiverse would be a good starting place....

I'd like to encourage this effort, it's a pretty big piece of an overall Single Sign On blueprint. It would be good to coordinate with Samba4 and heimdal1.0 to see how they're storing password hashes first though.

I too, would enjoy if this overlay was available in a package included in Ubuntu.

A note for anyone building this module, I have problems building with the version in OpenLDAP 2.3.30 series, but the one in CVS HEAD's contrib/... dir seems to have a lot of fixes, FYI

I will package this.

I built this today off of the Gutsy source (so it should have all of the goodies from the patch tree). It works in my test ldap, YMMV

Rick, any luck with the packaging?

Debian bug 443073

Mockup of changes to make this package.

The attached all works with the new 2.4.7 debs in Debian.

The only thing you need to do to make this work is append control.append to the debian control file (making sure to leave the blank line). Install the heimdal-dev package (1.0.1-5 please). Apply the rules.patch to the rules script. Then just build the entire package as normal.

The deb should depend on libkadm5srv8-heimdal (>= 1.0.1-5), libkrb5-22-heimdal (>= 1.0.1-5), libroken18-heimdal (>= 1.0.1-5), libasn1-8-heimdal (>= 1.0.1-5), libhx509-1-heimdal (>= 1.0.1-5), libhdb9-heimdal (>= 1.0.1-5) when all is said and done, but it doesn't seem to work.... probably my lack of knowledge in this area.

I would note that the original rationale for this bug report, password synchronization between pam and samba passwords, is incorrect. There are other, more general means of keeping passwords synchronized between Unix, LDAP, Samba, etc. databases using PAM itself which don't require any overlays on the LDAP side. This wouldn't meet the needs of arbitrary LDAP clients effecting password changes, but it would serve the needs of any system-level password changes (i.e., where the password change is done via PAM by a service such as ssh, login, passwd, etc.).

So there are certainly cases where this overlay would be useful to people, but I don't think it should be central to an SSO solution in main.

Quoting Steve Langasek:

>I would note that the original rationale for this bug report, password synchronization between pam and samba passwords, is incorrect.
>There are other, more general means of keeping passwords synchronized between Unix, LDAP, Samba, etc. databases using PAM
>itself which don't require any overlays on the LDAP side.

That was new information to me - could you point to a HOWTO or similar?

>This wouldn't meet the needs of arbitrary LDAP clients effecting password changes,

Indeed. By using smbk5pwd, doing a password change will work using any LDAP tool, as long as the tool is doing an EXOP for the password change.

I've reworked Pat's files into a patch against Ubuntu slapd source package 2.4.9-0ubuntu0.8.04.1

It's much more Debian-ized, except that there are still hacks since upstream source doesn't use autoconf to build this module.

It produces an extra package slapd-smbk5pwd, that can be installed without any of the other packages that get build; you can use the ones from hardy-updates for slapd etc. I did this so that any security updates won't cause slapd-smbk5pwd to get uninstalled and bring down authentication services.

I suppose there are other means of doing Single-Sign-On, but this one works now. Samba4 could shake things up in the area of SSO, of course it uses Heimdal-kdc (internally by default), so this module might live on even if it only gives slapd itsself integrated authentication with AD DC.

The smbk5pwd overlay relies on heimdal. However MIT kerberos is the default kerberos implementation in Ubuntu (ie MIT kerberos is in main, while heimdal is in universe). Thus one requirement to get the smbk5pwd overlay is to get it working with the MIT kerberos library.

Although it is logical to ask for MIT support, that raises a bigger question about MIT kerberos: does it have a roadmap to SSO, and being a directory server with MS Active Directory support? Heimdal is how Samba4 is achieving this, and it seems to me that MIT is lagging far far behind. So the bigger question of Ubuntu's server blueprints for SSO should I guess be the focus.

I've only just noticed this bug report. For the last couple of Ubuntu releases I've been patching and re-compiling the openldap (previously openldap2.3) packages in my PPA as I use the smbk5pwd overlay.

If you'd like to make use of my work, add the following to apt's sources.list for Intrepid:

    deb http://ppa.launchpad.net/ian-sigma-uk/ppa/ubuntu intrepid main
    deb-src http://ppa.launchpad.net/ian-sigma-uk/ppa/ubuntu intrepid main

or for Hardy:

    deb http://ppa.launchpad.net/ian-sigma-uk/ppa/ubuntu hardy main
    deb-src http://ppa.launchpad.net/ian-sigma-uk/ppa/ubuntu hardy main

Then import my PPA key with:

    sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com a94c744b25d20c39c0918ff595d65a6ae51162d2

To avoid any odd dependencies the overlay is in a new package called slapd-smbk5pwd, which depends on the heimdal libraries. Hence you will need to have the universe repositories enabled for it to install. When you're ready:

    sudo apt-get install slapd-smbk5pwd

You should now be ready to use the overlay.

Hope this helps someone save the time it took me to work it all out. Maybe one day we could find a way of getting the slapd-smbk5pwd package in universe so that it's available to all?

I created a jaunty ppa using Ian McMichael's changes. It can be found here:

https://launchpad.net/~automation/+archive/ppa

I hope this gets into karmic.

Hello. I am using debian lenny, with the smbk5pwd overlay. It works OK, but since heimdal 1.1 it needs to be patched before compiling. Otherwise, it crashes slapd when you change a password. You can have a look at debian bug #443073.

I suppose it will happen the same on newer versions of ubuntu, including heimdal >= 1.1
I attach the patch I have used to compile smbk5pwd on debian lenny (heimdal 1.2). I have been using it on production for two weeks, with dozens of password changes, with no problem.

Best regards. Juan.

Any possibility of getting this into 10.10?

It's fixed in Debian unstable, so the package just needs to be synced from there.

A year has passed since this packaging issue was solved in the Debian repositories. How can we go about getting it included in the 10.04 LTS?

Here is a deb of the smbk5pwd overlay, packed for 10.04 Lucid. It is a patched version, which also updates the shadowLastChange attibute if exists.

Attached you will find a patch that builds the smbk5pwd overlay.
The patch was done against the openldap 2.4.28-1.1ubuntu4 package.
I basically copied over the missing parts from the debian version of the package.

In my opinion the point raised by Mathias Gug is moot. If people want to use heimdal in combination with smbk5pwd, they should be able to do so. Especially since there are no downsides to including the smbk5pwd overlay in the package.

As long as this patch not accepted feel free to use the openldap package from my PPA (https://launchpad.net/~georg-rath/+archive/ppa-mrce). I will try to keep up with the official Ubuntu releases.

This bug was fixed in Debian over two years ago. Is there any way this can get reprioritized somewhere higher than "wishlist?" Having to use George Rath's PPA is a bad workaround (but thanks George for your effort, it certainly helped!) and pulling the Debian slapd packages into our own apt server isn't much better.

I wonder, why there is apparently no merge from debian since 2010?!?

I fail to understand why MIT vs Heimdal is an issue. Ubuntu supplies numerous packages that are dependent on Heimdal. Why is this different?

I think the best thing to do for this bug is to unassign it and have it get re-triaged. It was triaged and assigned almost 5 years ago well before upstream fixed the problem. I'm hoping this doesn't upset anyone.

So it appears that:

Ubuntu is up to date against the corresponding Debian package, and the 12.04 release is also reasonably close.

The smbk5pwd overlay is specifically disabled in the Ubuntu build. This is from the changelog:

+ Don't build smbk5pwd overlay since it uses heimdal instead of krb5:
        - debian/control:
          - remove build-dependency on heimdal-dev.
          - remove slapd-smbk5pwd binary package.
        - debian/rules: don't build smbk5pwd slapd module.

In the past (natty and earlier), heimdal was not in main and openldap was, so this would have required this. I'm not sure what the reason is now, since heimdal-dev is in main since oneiric.

Heimdal MIR was bug 800853

The funny thing is that, far as I can tell, heimdal-dev already is a build-dependency in the precise version of the package.
The only thing that needs to be done is to reenable the generation of the slapd-smbk5pwd package.
The patch in #21 does just that. It also adds the heimdal-fix patch from the debian repositories. I deployed the modified package on a test system and it works without problems.

Thank you for reopening this bug and taking a look at the problem.

Status changed to 'Confirmed' because the bug affects multiple users.

Seems to be fixed in quantal - and it only took five years:

openldap (2.4.28-1.1ubuntu5) quantal; urgency=low

  * debian/rules: Add smbk5pwd build.
  * debian/control: Add slapd-smbk5pwd binary package.
  * debian/patches/heimdal-fix: adapt parameters of
    hdb_generate_key_set_password() to heimdal 1.6~git20120311
    (patch from Debian #664930).
 -- Jorge Salamero Sanz <email address hidden> Wed, 18 Jul 2012 09:30:28 -0400

Thanks for confirming, Georg.