5 Nov
2018
5 Nov
'18
10:43 p.m.
On Nov 5, 2018, at 2:36 PM, Grant Taylor via TUHS
<tuhs(a)minnie.tuhs.org> wrote:
On 11/05/2018 12:24 AM, Mantas Mikulėnas wrote:
I found that I had to do all of this using SASL.
I remember it as SASL would handle the kerberization during boot up getting tickets for
each LDAP entry that you wanted mapped to a service on that client.
I could be wrong but I think SASL seems to be way connect services on Linux with LDAP that
are served kerberized.
Thanks,
Ben
Let the client handle authentication via Kerberos
I don't know enough about Kerberos (yet) to know if it would be possible for a login
process to communicate with the KDC and get a TGT as part of logging in, without already
being logged in.
My ignorance is leaving me with a priming problem that seems like a catch 22. You
can't login without shadow information or TGT. But traditional (simpler) kinit is
run after being logged in. So ... how do you detangle that? The only thing that I can
come up with is that the login process does the kinit functionality on the users behalf.
I can see how NIS(+) sans-shadow could still be useful. I can also see how LDAP could be
a close approximation / replacement for NIS(+) in this case.
--
Grant. . . .
unix || die