Single sign-on infrastructure (FC5 wish)

Wed Jun 22 10:13:15 UTC 2005

Mike MacCana wrote:

>On Tue, 2005-06-21 at 10:11 -0500, Jason L Tibbitts III wrote:
>  
>
>>>>>>>"AB" == Alexander Boström <abo at kth.se> writes:
>>>>>>>              
>>>>>>>
>>AB> I don't know how that works but I must say I'm very sceptical,
>>AB> mostly from a security standpoint. What's the advantage of doing
>>AB> it that way?
>>
>>A single replication infrastructure.  I use the MIT KDC because it's
>>what Red Hat happens to ship, but I'd much rather have everything in
>>LDAP instead of having two separate systems to configure and maintain.
>>    
>>
>
>So Heimdal can use an LDAP data store? Sweet. Thanks so much for your
>post. 
>
>I've wanted MIT krb5 to do this (in a non hacky way) for ages.
>
>  
>
A data abstraction layer (DAL) patch that does just that has been just 
been committed to the cvs of MIT KDC.

>Can Heimdal do Kerberos over TCP, and does it support MS specific
>encryption types, like MIT Kerberos does?
>  
>
Quoted from heimdal.info:

>Encryption types
>================
>
>Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
>des-cbc-md5) and its own proprietary encryption that is based on MD4 and
>rc4 that is documented in and is supposed to be described in
>`draft-brezak-win2k-krb-rc4-hmac-03.txt'.  New users will get both MD4
>and DES keys.  Users that are converted from a NT4 database, will only
>have MD4 passwords and will need a password change to get a DES key.
>
>Heimdal implements both of these encryption types, but since DES is the
>standard and the hmac-code is somewhat newer, it is likely to work
>better.
>  
>
Also I believe heimdal can (or will be able to) use the LDAP attribute 
"sambaNTPassword" as a arcfour-hmac-md5 kerberos key. I haven't tried 
MIT KDC+DAL (or heimdal for that matter) but I guess that the raison 
d'être of DAL being its possible use alongside future versions of samba, 
it's likely to support the same feature.

In a related note, my hardest headache is renewing keys for users that 
have home directories access via NFS4+krb5. We could not get 
"gnome-kerberos" or "xscreensaver" to do it, so we keep a terminal 
window open so that kinit can be run there. Am I missing something?

Also is the new kernel keyring facility planned for FC5 inclusion?