5 Nov
2018
5 Nov
'18
8:36 p.m.
On 11/05/2018 12:24 AM, Mantas Mikulėnas wrote:
Let the client handle authentication via Kerberos
I don't know enough about Kerberos (yet) to know if it would be possible
for a login process to communicate with the KDC and get a TGT as part of
logging in, without already being logged in.
My ignorance is leaving me with a priming problem that seems like a
catch 22. You can't login without shadow information or TGT. But
traditional (simpler) kinit is run after being logged in. So ... how do
you detangle that? The only thing that I can come up with is that the
login process does the kinit functionality on the users behalf.
I can see how NIS(+) sans-shadow could still be useful. I can also see
how LDAP could be a close approximation / replacement for NIS(+) in this
case.
--
Grant. . . .
unix || die