<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> [...] > > > For a read-only KDC we need to investigate what's the better solution. > There are many ways we can handle the issue, one of the simplest is > probably to allow the RO KDC to use a special LDAP Extended operation > against a full R/W server to get the user keys to sign, authenticating > with a special R/O KDC principal. We can also investigate how MS does > internal forwarding and do something similar as I suspect that's > something samba4-RODC will want to implement too, so we could share some > of the development burden there. > > Simo. > I do not think it is a good idea for the remote RO KDC to go back to the main datacenter on every authentication without some sort of caching. This is why I think that some kind of SSSD integration might be due. If RO KDC would just pass the authentication to SSSD in some way and SSSD would do the caching in case the office gets offline. I understand that authhub as is will not work as the client sends time stamp encrypted with password and SSSD needs plain text password as credential. I do not know if there is a way to solve this without actually sending the password in the tunnel. IMO it is more important to make sure that remote office can have uninterrupted operation than to worry about the password being sent inside the encrypted tunnel. It is something that deployment should decide and weight risks against convenience. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </body> </html>