Hi Nik, hi all, On Fr 02 Sep 2016 00:34:47 CEST, Petter Reinholdtsen wrote:
[Dominik George]Sure. I know it is used - but user login is nothing that specifically *needs* Kerberos in Debian Edu - it would be a matter of switching to libpam-ldap instead. This isn't as good as Kerberos, sure - but it is no point that makes any Debian Edu install *need* Kerberos.I suspect you are right. I have vague memories of CUPS and Samba working better with Kerberos than without, but nothing vital. Note, the libpam-ldapd package is probably a better option than libpam-ldap.If you happen to ahve an idea on how to add Kerberos without involving actions by every user, please let me know and I will happily do.I believe the common approach is to add a pam module to do it, basicly adding the password to Kerberos when a user log in, without the user noticing. See the libpam-krb5-migrate-heimdal for an example. I'm not sure if there is an MIT Kerberos plugin available in Debian. You might have to build it yourself.
Please note that the implementation of GOsa as found in Debian Edu keeps the three password types (LDAP's userPassword, Samba's nthash and Kerberos principals' creds) in sync if GOsa is the sole mechanism for password maintenance.
The Samba configuration of TJENER also syncs back password changes coming from Windows clients into LDAP's userPassword and the Kerberos account.
Please also note that the Kerberos data is stored in TJENER's LDAP db. So syncing LDAP data over slapd mirroring configs will also sync the Kerberos data. Thus, you can
(a) easily roll-out slave KDCs at remote locations (b) or alternatively use LDAP's userPassword read-only at remote locationsAll account management features (e.g. the passwd cmdline tool) should direct the workflow back to the core instance (or an instance attached to a master-master synced slapd) of GOsa.
If you need more info on how to integrate Debian Edu's main LDAP db into distributed setups, please don't hesitate to ask. Possibly Cc: me directly, as I don't have that much time to follow-up on the D-E mailing list on a day-to-day basis (unfortunately).
Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: email@example.com, http://das-netzwerkteam.de
Description: Digitale PGP-Signatur