Hello,
IPA can do local overrides for IPA users without AD trusts.
It is an universal feature for any locally or not locally managed users.
And it can override not only POSIX but SSH keys too.
Thanks
Dmitri
Kerberos mailing list Kerberos
Hi Nico,
Thanks.
> See the IETF ABFAB WG. They have a GSS mechanism that can do what you want.
I’m not sure what you mean — they have GSS-EAP of course, but is that
what you mean?
> Per-group principal names are not that useful, especially if you have
> many group memberships. First, it means
> RedHat's FreeIPA may provide some similar functionality, but I'm not familiar
> with it. Ditto Samba.
If I'm not mistaken, FreeIPA 4.1+ should have the ability to overwrite or add
user attributes locally (including "username", uidNumber, group membership).
However, it can only do trusts with
See the IETF ABFAB WG. They have a GSS mechanism that can do what you want.
Kerberos can also do what you want (though some KDC-side pieces may
need to get written), as follows: a) it has two forms of anonymous
principal names (with anon realm and with non-anon realm; you want the
latter), b) the
Hi Greg,
Thanks once more for an extensive answer! It really helps that you point out
the
paths, and even already balance pros and cons.
I also don’t know if Kitten will be interested, but we’re willing to help out
if this is
the case. Since we’re doing this for other credential types, it wou
On 03/14/2015 05:10 AM, Rick van Rein wrote:
> I’ve been looking for ways of concealing principal names with Kerberos. I
> think this
> is of interest in relation to Internet-wide realm crossover with Kerberos.
> The only
> way I found are the anonymity mechanisms of RFC 6112, but that provides
Hello,
Simo Sorce wrote:
>> * Is this concealment of user names considered a good idea?
>
> It may be useful
I now realise I didn’t state my purposes:
* the ability of a remote service to configure access to roles/groups, and
leave the assignment of individuals to roles/groups to the sender r
On Sat, 2015-03-14 at 10:10 +0100, Rick van Rein wrote:
> Hello,
>
> I’ve been looking for ways of concealing principal names with Kerberos. I
> think this
> is of interest in relation to Internet-wide realm crossover with Kerberos.
> The only
> way I found are the anonymity mechanisms of RFC
Hello,
I’ve been looking for ways of concealing principal names with Kerberos. I
think this
is of interest in relation to Internet-wide realm crossover with Kerberos. The
only
way I found are the anonymity mechanisms of RFC 6112, but that provides too
little
information to the service to supp