Nick Milas wrote:
Yes, it's the MIT Kerberos. And, after looking into smbk5pwd, it does the opposite (of what I want): it automatically gets value for userPassword based on the Principal key (krb5Key) attribute (using the krb5-kdc.schema).
No, it can do two things:
1. Intercept a Password Modify Extended Request and populate krb5Key based on the new clear-text password.
2. Intercept a simple Bind Request and check the user's password against krb5Key if userPassword is set to the value {K5KEY}.
From what I understood in your original posting you want 1. But you have to use heimdal as KDC for that.
I am looking if it is possible to automatically populate/produce krbPrincipalKey attribute values (kerberos.schema) based on current userPassword attribute values (person objectClass in core.schema), without knowing the stored password (encoded mainly as MD5).
Maybe you can extend smbk5pwd to do that or derive your own overlay from that code.
Ciao, Michael.