Network nirvana [Re: Since Fedora is not aimed at enterpise/business ..]

Thu Oct 2 08:08:01 UTC 2003

On Thu, 2003-10-02 at 01:47, Chris Ricker wrote:
> On Wed, 1 Oct 2003, Owen Taylor wrote:

> Well, the problem here is that with Kerberos the complexity isn't in things
> like the configuration files or the commands -- it's the whole
> authentication process of principals getting ticket-granting tickets which
> allow them to get service tickets which they then present to the service to
> be authenticated and authorized to use it. To administer it, you have to
> understand the whole flow of all that at a conceptual level.

I agree Kerberos is not child's toy, but if M$ has made it usable, it
means that, besides its complexity, admin tools can be developed to make
it more palatable to the unexperienced administrator. I think the idea
is integrate tools like "libuser" to work against Kerberos: should an
admin invoke "useradd", the corresponding entry should be created on the
user repository (i.e. OpenLDAP) and the security principal on the
Kerberos KDC.

> If you look at, say, /etc/krb5.conf you'll find that the syntax is
> reasonably sane and that there's very little you normally change, barring
> rare complexities like setting up direct (non-hierarchical) cross-realm
> authentication. Even things as simple as authconfig mostly configure that
> right already. Similarly, the commands you use to generate principals and
> such aren't difficult. At least IMHO, it's the logic of "when do I need this
> command" that's the complex part, and that goes back to understanding the
> system, which goes back to docs.

I think Kerberos is complex, but many other things like IPSec and
XFree86 are complex enough too and they work reliably and don't need a
lot of tweaking and configuration. We need to work in order to develop
more robust, out-of-the-box tools. For example, during installation, the
/etc/krb5.conf could be automatically customized to change EXAMPLE.COM
to a valid Kerberos V realm aligned with the DNS suffix.

> You'll see that if you look at the existing Kerberos GUIs, or at least the
> two I've used. Sun has gkadmin (usual Solaris Java applet mess) and MS has a
> whole slew of stuff for AD, and neither are really usable unless you know
> how the process works....

Haven't worked with any of them, but even on Windows, there is no
Kerberos admin tool. It's nearly automatic and you have fallback
authentication protocols like the weak NTLM.

> There are a few defaults in Red Hat which could be tuned better -- for
> example, last I looked, Red Hat randomly used a different default encryption
> for tickets than any other MIT-derived Kerberos, which makes things "fun" if
> you have, say, Solaris and Red Hat around. Good luck designing a GUI which 
> can walk admins through diagnosing that ;-)

Don't know what are you talking about, but I've several boxes running on
Red Hat (with MIT Kerberos) and two other with SuSE Linux 8.2 (running
Heimdal) and they are totally and seamlessly interoperable.