Re: knowing which schema(s) to use

[Ryan Tandy <ryan@nardis.ca>]

On Tue, May 16, 2017 at 03:23:59PM -0400, Prentice Bisbal wrote:
> 1. Kerberos attributes in "new" kerberos schema start with 'krb' 
> instead of 'krb5'

Are you sure they are only older/newer versions of the same schema? That 
sounds to me like one of them is the MIT schema and the other is 
Heimdal. AFAIK the data formats are not really compatible despite the 
similar names for things.

MIT schema: https://github.com/krb5/krb5/blob/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
Heimdal schema: https://github.com/heimdal/heimdal/blob/master/lib/hdb/hdb.schema

Worth noting is that MIT has 'krbPrincipal' and 'krbPrincipalAux' but in 
Heimdal, 'krb5Principal' itself is already AUXILIARY.

> Both of these are easy to fix - just use sed to change 'krb5' to 
> 'krb', and then change 'krbPrincipal' to 'krbPrincipalAux', but is 
> this really the best/safest way to make these changes. Also, what 
> happens to apps that are looking for the 'krb5' instead of 'krb' and 
> vice-versa?

Right, you can't just go modifying schema without also modifying the 
applications that have the names and expectations baked into them. 
Generally the correct schema to use is the one supplied with the 
software itself - in this case, whichever KDC you are using should have 
a copy of the appropriate schema shipped with it.