[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Kerberos for Debian Edu/Squeeze?

I continue to get feedback from my kerberos blog post.  I got this one
mentioning interesting alternatives:

  Greetings from Ecuador. I've read your post on Kerberos and
  LDAP. I've setup several interoperatibility schemes with Kerberos
  and LDAP in the past. You can actually build a single sign-on domain
  controller for a mixed Linux/Windows environment using Heimdal and

  You need to store your principals in LDAP. This is easy and Heimdal
  as well as MIT (though I've only done that with Heimdal) allows to
  do so.

  You can use both OpenLDAP and 389 Directory Server (formerly Fedora
  DS) which runs in Debian nicely. 389 might as well give you a break
  with the password policies, overlays for syncing
  Samba-POSIX-Kerberos password and all other uncomfortable stuff of
  Kerberos + LDAP.

  pam-ccreds has proven a little bit like nscd: seems good on paper
  but you start to feel the heat when you bring it to practice. While
  I've made it work in the past, it brings newer security problems. I
  recall on 2007 I deployed a Debian-based distribution in over 6K
  workstations for Venezuela's main power utility, and ccreds worked

  If you unplugged the network cable while xscreensaver was on, you
  could log in just by pressing Enter. And, believe me, any
  combination of the PAM parameters made pam-ccreds unusable. So, try
  to use another PAM module for non-delayed non-networked
  authentication for roaming.

  I'd be glad to share any other experience with you and the people
  over at Skolelinux. Just let me know, and have a nice day.

  - --
  José Miguel Parrella Romero (bureado.com.ve)        PGP: 0×88D4B7DF
  Debian Developer                              Caracas, VE/Quito, EC

Posted here with his approval.  Anyone with opinions on which Kerberos
implementation we should use?

Happy hacking,
Petter Reinholdtsen

Reply to: