<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
[...]<br>
<span style="white-space: pre;">><br>
><br>
> For a read-only KDC we need to investigate what's the
better solution.<br>
> There are many ways we can handle the issue, one of the
simplest is<br>
> probably to allow the RO KDC to use a special LDAP Extended
operation<br>
> against a full R/W server to get the user keys to sign,
authenticating<br>
> with a special R/O KDC principal. We can also investigate
how MS does<br>
> internal forwarding and do something similar as I suspect
that's<br>
> something samba4-RODC will want to implement too, so we
could share some<br>
> of the development burden there.<br>
><br>
> Simo.<br>
></span><br>
<br>
I do not think it is a good idea for the remote RO KDC to go back
to<br>
the main datacenter on every authentication without some sort of<br>
caching. This is why I think that some kind of SSSD integration
might<br>
be due. If RO KDC would just pass the authentication to SSSD in
some<br>
way and SSSD would do the caching in case the office gets offline.
I<br>
understand that authhub as is will not work as the client sends
time<br>
stamp encrypted with password and SSSD needs plain text password
as<br>
credential. I do not know if there is a way to solve this without<br>
actually sending the password in the tunnel. IMO it is more
important<br>
to make sure that remote office can have uninterrupted operation
than<br>
to worry about the password being sent inside the encrypted
tunnel. It<br>
is something that deployment should decide and weight risks
against<br>
convenience. <br>
<br>
-- <br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager IPA project,<br>
Red Hat Inc.<br>
<br>
<br>
-------------------------------<br>
Looking to carve out IT costs?<br>
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><br>
<br>
<br>
<br>
</body>
</html>