Grant Taylor gtaylor at tnetconsulting.net
Tue Nov 6 05:36:30 AEST 2018

On 11/05/2018 12:24 AM, Mantas Mikul─Śnas wrote:
> Let the client handle authentication via Kerberos

I don't know enough about Kerberos (yet) to know if it would be possible 
for a login process to communicate with the KDC and get a TGT as part of 
logging in, without already being logged in.

My ignorance is leaving me with a priming problem that seems like a 
catch 22.  You can't login without shadow information or TGT.  But 
traditional (simpler) kinit is run after being logged in.  So ... how do 
you detangle that?  The only thing that I can come up with is that the 
login process does the kinit functionality on the users behalf.

I can see how NIS(+) sans-shadow could still be useful.  I can also see 
how LDAP could be a close approximation / replacement for NIS(+) in this 

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20181105/cefeef3f/attachment.bin>

More information about the TUHS mailing list