Single sign-on infrastructure (FC5 wish)
Charles Lopes
tjarls at iee.lu
Wed Jun 22 10:13:15 UTC 2005
Mike MacCana wrote:
>On Tue, 2005-06-21 at 10:11 -0500, Jason L Tibbitts III wrote:
>
>
>>>>>>>"AB" == Alexander Boström <abo at kth.se> writes:
>>>>>>>
>>>>>>>
>>AB> I don't know how that works but I must say I'm very sceptical,
>>AB> mostly from a security standpoint. What's the advantage of doing
>>AB> it that way?
>>
>>A single replication infrastructure. I use the MIT KDC because it's
>>what Red Hat happens to ship, but I'd much rather have everything in
>>LDAP instead of having two separate systems to configure and maintain.
>>
>>
>
>So Heimdal can use an LDAP data store? Sweet. Thanks so much for your
>post.
>
>I've wanted MIT krb5 to do this (in a non hacky way) for ages.
>
>
>
A data abstraction layer (DAL) patch that does just that has been just
been committed to the cvs of MIT KDC.
>Can Heimdal do Kerberos over TCP, and does it support MS specific
>encryption types, like MIT Kerberos does?
>
>
Quoted from heimdal.info:
>Encryption types
>================
>
>Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
>des-cbc-md5) and its own proprietary encryption that is based on MD4 and
>rc4 that is documented in and is supposed to be described in
>`draft-brezak-win2k-krb-rc4-hmac-03.txt'. New users will get both MD4
>and DES keys. Users that are converted from a NT4 database, will only
>have MD4 passwords and will need a password change to get a DES key.
>
>Heimdal implements both of these encryption types, but since DES is the
>standard and the hmac-code is somewhat newer, it is likely to work
>better.
>
>
Also I believe heimdal can (or will be able to) use the LDAP attribute
"sambaNTPassword" as a arcfour-hmac-md5 kerberos key. I haven't tried
MIT KDC+DAL (or heimdal for that matter) but I guess that the raison
d'être of DAL being its possible use alongside future versions of samba,
it's likely to support the same feature.
In a related note, my hardest headache is renewing keys for users that
have home directories access via NFS4+krb5. We could not get
"gnome-kerberos" or "xscreensaver" to do it, so we keep a terminal
window open so that kinit can be run there. Am I missing something?
Also is the new kernel keyring facility planned for FC5 inclusion?
More information about the fedora-devel-list
mailing list