[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Naive questions about Kerberos+PAM+Win2000



On Thu, Jul 05, 2001 at 06:01:31PM -0400, Lengyel, Florian wrote:
> I have an NT domain with several thousand users, to which I'm going
> to add two LINUX clusters. I would like the users to be authenticated
> by the PDC or BDCs of the NT domain, or else I would like the NT and
> LINUX password databases to be synchronized so that they could be
> administered entirely from NT if one wanted. I understand that I could use
> pam_smb or  pam_ntdom for this purpose. What would I use when the
> NT domain controllers are replaced with Windows 2000 servers? 

You should be able to use any of the many pam_krb5 implementations to
authenticate users by using your server as a KDC in the krb5.conf file.

> Is it possible to use an authentication module for Kerberos
> under Red Hat Linux 7.1 that would work with Windows 2000?

Yes.  There's one included on the CD, and there are others on the net:
Frank Cusack's:
	http://www.fcusack.com/
Naomaru Itoi's, with support for Solaris by Curtis King:
	ftp://ftp.dementia.org/pub/pam/
Wyman Miles's:
	http://is.rice.edu/~wymanm/projects/

I'm pretty certain that this is not a comprehensive list.

> If there is such a kerberos authentication module, does it authenticate
> users through kerberos under windows 2000, bypassing the usual
> LINUX authentication mechanism, or does this kerberos PAM
> only provide authenticated user access to kerberized services?
> I could be missing the point of Kerberos under windows 2000.

At the basic level, pam_krb5 should use the Win2k box as a KDC for
authenticating users, so you can use it in place of pam_unix is you
wish.  I'd recommend keeping root local, though, and mixing the two
so that users with Kerberos principals authenticate using pam_krb5,
and everyone else uses regular /etc/shadow authentication.

Generally, users who authenticate using Kerberos should get a TGT
which they can use to authenticate to other servers in your realm, but
depending on whether or not those servers are expecting additional
authorization data to be present, Kerberized services may or may not be
accessible to those users.

Don't forget that authentication via PAM (or Kerberos) doesn't give you
access to other information about users, such as the location of their
home directories, or their UIDs.  For that, you still need something
like an NIS server, a hesiod database, or an LDAP server (usually using
nss_ldap as a client) or Microsoft's Services For Unix, which I believe
includes an NIS server which runs on top of Active Directory.

Hope this helps,

Nalin





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []