Hi, First of all thank you for replying! This was the 3rd post of the same mail with a different subject! ;P
On Mon, 11 Aug 2003 14:34:12 -0400 David Z Maze <[EMAIL PROTECTED]> wrote: > Do you, in fact, want to migrate your network to using Kerberos? > It's a moderate amount of infrastructure, and in fact would > completely replace having shadow files anywhere. No... I just want to replace NIS! LDAP is the easy answear, right? That's why I used the PASSWD backend. I don't even mind changing the passwords through passwd! I just want to use a more secure way of sharing users across a linux network. > I know ~nothing about LDAP. But, there are two somewhat obvious > possibilities if you need an LDAP/Kerberos world: > > (1) Figure out a way to use LDAP unencrypted for only the > information > that would normally be in /etc/passwd. (Which is close to > what MIT does, but using Hesiod, which is a thin layer on top > of DNS.) Unencrypted? Don't you mean ENCRYPTED? Thinking of it I know it's possible to use LDAP through a stunnel... And I read somewhere that LDAP2 does this by himself. Then I would only need to change nsswitch.conf and configure pam. (I THINK!! Have read more about it though...) I'll google for Hesiod anyway... to see what that is! :P > > (2) Generate a Kerberos keytab for each machine (you might want > this > anyways to allow things like inbound Kerberos-authenticated > ssh). Get tickets using the keytab (kinit -k). Using this, > get Kerberos-authenticated LDAP entries. Then lose the host > tickets, verify the username, get a password, and using this, > get user Kerberos tickets. > > There might even be a good prepackaged way to do (2), but I > really don't know. > > > To login with Kerberos I have to add all users as principals. > > Yes. <nods> If you're using other infrastructure that supports > it(IMAP and AFS are obvious things that come to mind) then this > still might be a good way to go; it does save a fair bit of > typing passwords to get at things. Otherwise, you probably want > to ignore anything that says "Kerberos" or "GSSAPI" in the > package description. I agree with you... even the explanation of the protocol is confusing! What alternatives do you suggest? Thanks again, --- Paladin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
