Oded Arbel wrote:
?Thursday 29 April 2004 01:00, ???? ?? ??? Yonah Russ:you do get some with the distribution but they aren't active by default- you need to at least change lines in the inetd or xinetd to activate them- possibly more. With kerberos, when you log in you authenticate against the kerberos server and you get a ticket which is used for authentication against all other kerberized services.
Active directories is very heavy on kerberos- it's theoretically possible to use the same kerberos for both the active directory and linux- I've read you can even convince active directories to use a linux kerberos server.
I only briefly looked into this b/c it means switching to kerberized
deamons, etc. very annoying.
Why ? I get them with the distribution, I think. I'm a bit hazy how does using kerberos prevents me from needing to type passwords all the time.
Therefore if all your computer clocks are in sync(very important) kerberos will let you not have to type in any passwords.
yes- also you could possibly use ldap of active directory as the backend although I wouldn't suggest it. Almost everything today can support TACACS+ - windows is supposed to support it, unix supports via pam modules, cisco inverted it so all their stuff supports it.I personally think the way to go is a TACACS+ server with an LDAP backend.
Not that I'm going to change the way the office handles directory, but will the setup you mentioned allow me to use single sign-on ?
correctly configured you will get not only single sign on, but central logs of logins- who was on what and for how long, and the ability to reconfigure cisco acl's for a computer based on who logs in.
those are two big advantages - also TACACS+ is encrypted so worrying about cleartext passwords there.
yonah
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
