Re: Use of Kerberos in Debian Edu

To: Dominik George <nik@naturalnet.de>
Cc: debian-edu@lists.debian.org
Subject: Re: Use of Kerberos in Debian Edu
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Sun, 20 Nov 2016 13:08:22 +0000
Message-id: <[🔎] 20161120130822.Horde.Z5pqFysX2dUIcnB96bI1tU3@mail.das-netzwerkteam.de>
In-reply-to: <2fllgzb8d14.fsf@diskless.uio.no>
References: <55874B1C-6A0B-40F8-9235-D88751D146BB@teckids.org> <2flmvjrvjuv.fsf@diskless.uio.no> <20160901190713.GP29966@iupiter.teckids.org> <2fllgzb8d14.fsf@diskless.uio.no>

Hi Nik, hi all,

On  Fr 02 Sep 2016 00:34:47 CEST, Petter Reinholdtsen wrote:

[Dominik George]

Sure. I know it is used - but user login is nothing that specifically
*needs* Kerberos in Debian Edu - it would be a matter of switching to
libpam-ldap instead. This isn't as good as Kerberos, sure - but it is no
point that makes any Debian Edu install *need* Kerberos.


I suspect you are right.  I have vague memories of CUPS and Samba
working better with Kerberos than without, but nothing vital.  Note, the
libpam-ldapd package is probably a better option than libpam-ldap.

If you happen to ahve an idea on how to add Kerberos without involving
actions by every user, please let me know and I will happily do.


I believe the common approach is to add a pam module to do it, basicly
adding the password to Kerberos when a user log in, without the user
noticing.  See the libpam-krb5-migrate-heimdal for an example.  I'm not
sure if there is an MIT Kerberos plugin available in Debian.  You might
have to build it yourself.

Please note that the implementation of GOsa as found in Debian Edukeeps the three password types (LDAP's userPassword, Samba's nthashand Kerberos principals' creds) in sync if GOsa is the sole mechanismfor password maintenance.

The Samba configuration of TJENER also syncs back password changescoming from Windows clients into LDAP's userPassword and the Kerberosaccount.

Please also note that the Kerberos data is stored in TJENER's LDAP db.So syncing LDAP data over slapd mirroring configs will also sync theKerberos data. Thus, you can


  (a) easily roll-out slave KDCs at remote locations
  (b) or alternatively use LDAP's userPassword read-only at remote locations

All account management features (e.g. the passwd cmdline tool) shoulddirect the workflow back to the core instance (or an instance attachedto a master-master synced slapd) of GOsa.

If you need more info on how to integrate Debian Edu's main LDAP dbinto distributed setups, please don't hesitate to ask. Possibly Cc: medirectly, as I don't have that much time to follow-up on the D-Emailing list on a day-to-day basis (unfortunately).


Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpq9C6nOWx8j.pgp
Description: Digitale PGP-Signatur

Reply to:

Prev by Date: Re: Maintenance of xrdp and Guacamole
Next by Date: Re: sitesummary: fails to install / configure apache
Previous by thread: Re: Maintenance of xrdp and Guacamole
Next by thread: Processing of debian-edu-doc_1.911~20161121_source.changes
Index(es):
- Date
- Thread