On 11/05/2018 12:24 AM, Mantas Mikulėnas wrote:
> Let the client handle authentication via Kerberos

I don't know enough about Kerberos (yet) to know if it would be possible 
for a login process to communicate with the KDC and get a TGT as part of 
logging in, without already being logged in.

My ignorance is leaving me with a priming problem that seems like a 
catch 22.  You can't login without shadow information or TGT.  But 
traditional (simpler) kinit is run after being logged in.  So ... how do 
you detangle that?  The only thing that I can come up with is that the 
login process does the kinit functionality on the users behalf.

I can see how NIS(+) sans-shadow could still be useful.  I can also see 
how LDAP could be a close approximation / replacement for NIS(+) in this 
case.



-- 
Grant. . . .
unix || die