On Wed, 2013-08-28 at 18:37 +0200, Marc Muehlfeld wrote: > Hello, > > I took this out of the "OpenSSH auth in SAMBA4 LDAP" thread, because it > was drifting away from it's origin question :-) > > I played this afternoon a bit with nslcd and kerberos for extending my > Wiki HowTo. But as more as I read, one question comes bigger and bigger: > What are the advantages of kerberos against simple bind with DN and > password? > > Simple bind method: Create a user, add the credentials to the root only > readable file nslcd.conf. Done > > Kerberos: Create user, add a SPN, extract keytab, edit nslcd.conf (ok. > This is all done only once.). But then, if I understand it right, I need > something that renews the kerberos ticket from time to time. In your > blog you use k5start for that. Also Fedora 19 and RHEL6 doesn't have it > in their repositories. So something more to compile and to be ensured > that it starts and run. :-) > > So currently I don't see what are the advantages of Kerberos and in > which way it should be easier or anything else. :-) > > Maybe someone can give me (Kerberos beginner) some answers/hints. :-)
Hi If you're happy with plain text passwords being passed over the network then use them. There may be some admins that will not be able to do that though, so. . . You may want to kerberise it. It's very easy: you don't need to create anything new. Just use an object you already have. You always have a machine key for example. On the DC, you'll have to extract its keytab but otherwise, away you go: k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K 360 -k /tmp/nslcd.tkt & If you need to be up more than 10 hours a day and if you don't like k5start, cron it. The clients already have the keytab so nothing else to do. HTH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
