Re: Kerberos for Debian Edu/Squeeze?
I continue to get feedback from my kerberos blog post. I got this one
mentioning interesting alternatives:
Greetings from Ecuador. I've read your post on Kerberos and
LDAP. I've setup several interoperatibility schemes with Kerberos
and LDAP in the past. You can actually build a single sign-on domain
controller for a mixed Linux/Windows environment using Heimdal and
OpenLDAP.
You need to store your principals in LDAP. This is easy and Heimdal
as well as MIT (though I've only done that with Heimdal) allows to
do so.
You can use both OpenLDAP and 389 Directory Server (formerly Fedora
DS) which runs in Debian nicely. 389 might as well give you a break
with the password policies, overlays for syncing
Samba-POSIX-Kerberos password and all other uncomfortable stuff of
Kerberos + LDAP.
pam-ccreds has proven a little bit like nscd: seems good on paper
but you start to feel the heat when you bring it to practice. While
I've made it work in the past, it brings newer security problems. I
recall on 2007 I deployed a Debian-based distribution in over 6K
workstations for Venezuela's main power utility, and ccreds worked
nicely.
If you unplugged the network cable while xscreensaver was on, you
could log in just by pressing Enter. And, believe me, any
combination of the PAM parameters made pam-ccreds unusable. So, try
to use another PAM module for non-delayed non-networked
authentication for roaming.
I'd be glad to share any other experience with you and the people
over at Skolelinux. Just let me know, and have a nice day.
- --
José Miguel Parrella Romero (bureado.com.ve) PGP: 0×88D4B7DF
Debian Developer Caracas, VE/Quito, EC
Posted here with his approval. Anyone with opinions on which Kerberos
implementation we should use?
Happy hacking,
--
Petter Reinholdtsen
Reply to: