[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Use of Kerberos in Debian Edu

Hi Nik, hi all,

On  Fr 02 Sep 2016 00:34:47 CEST, Petter Reinholdtsen wrote:

[Dominik George]
Sure. I know it is used - but user login is nothing that specifically
*needs* Kerberos in Debian Edu - it would be a matter of switching to
libpam-ldap instead. This isn't as good as Kerberos, sure - but it is no
point that makes any Debian Edu install *need* Kerberos.

I suspect you are right.  I have vague memories of CUPS and Samba
working better with Kerberos than without, but nothing vital.  Note, the
libpam-ldapd package is probably a better option than libpam-ldap.

If you happen to ahve an idea on how to add Kerberos without involving
actions by every user, please let me know and I will happily do.

I believe the common approach is to add a pam module to do it, basicly
adding the password to Kerberos when a user log in, without the user
noticing.  See the libpam-krb5-migrate-heimdal for an example.  I'm not
sure if there is an MIT Kerberos plugin available in Debian.  You might
have to build it yourself.

Please note that the implementation of GOsa as found in Debian Edu keeps the three password types (LDAP's userPassword, Samba's nthash and Kerberos principals' creds) in sync if GOsa is the sole mechanism for password maintenance.

The Samba configuration of TJENER also syncs back password changes coming from Windows clients into LDAP's userPassword and the Kerberos account.

Please also note that the Kerberos data is stored in TJENER's LDAP db. So syncing LDAP data over slapd mirroring configs will also sync the Kerberos data. Thus, you can

  (a) easily roll-out slave KDCs at remote locations
  (b) or alternatively use LDAP's userPassword read-only at remote locations

All account management features (e.g. the passwd cmdline tool) should direct the workflow back to the core instance (or an instance attached to a master-master synced slapd) of GOsa.

If you need more info on how to integrate Debian Edu's main LDAP db into distributed setups, please don't hesitate to ask. Possibly Cc: me directly, as I don't have that much time to follow-up on the D-E mailing list on a day-to-day basis (unfortunately).


mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpq9C6nOWx8j.pgp
Description: Digitale PGP-Signatur

Reply to: