systematic Kerberization
Doncho N. Gunchev
mr700 at globalnet.bg
Thu Jun 3 07:35:22 UTC 2004
On Wednesday 02 June 2004 15:04, Pau Aliagas wrote:
> On Mon, 10 May 2004, Havoc Pennington wrote:
>
> Sorry to be late and maybe a litle offtopic.
>
> > Something we've wanted to do for a long time is create a matrix of
> > programs that should support Kerberos authentication, and start checking
> > them off. I guess this includes both client-side and server-side.
> >
> > Does anyone have a good start on this?
> >
> > Any real-world experience/scenarios where Kerberos support was needed
> > and not available? (Which things should be Kerberized first?)
>
> I've been trying really hard to implement kerberos+ldap in fedora
> development and FC1/FC2 and I'm almost done, but there is one important
> thing that does not work: loginShell is ignored by nss_ldap.
>
> I'd like to post an example configuration to make this systematic
> Kerberization a fact, something to start playing with, but I haven't been
> able to get a "bash" shell when using ldap. Any hints?
>
> login always launches "/bin/sh" ignoring the ldap entries. finger and
> getent also ignore the loginShell, so I strongly suspect it's an nss_ldap
> bug.
>
> Thanks
> Pau
I've been trying too, but not that hard. Can you please describe this
somewhere and post a link. I was fighting to make the system authenticate
all users with UID < 500/1000 the old way and all others (mail/samba only)
with LDAP/Kerberos, which is ideal in my eyes. The idea was that even with
no network at all I still can login localy as root/UID<500/1000 and fix it.
Kerberos + LDAP + Samba would be great for hybrid environments with WinXX
workstations, linux servers and workstation(s) (my case).
--
Regards,
Doncho N. Gunchev Registered Linux User #291323 at counter.li.org
GPG-Key-ID: 1024D/DA454F79
Key fingerprint = 684F 688B C508 C609 0371 5E0F A089 CB15 DA45 4F79
More information about the fedora-devel-list
mailing list