From: "Mantas Mikulėnas" <grawity@gmail.com>
To: ben@cogs.com
Cc: tuhs@minnie.tuhs.org, gtaylor@tnetconsulting.net
Subject: Re: [TUHS] YP / NIS / NIS+ / LDAP
Date: Tue, 6 Nov 2018 08:53:58 +0200 [thread overview]
Message-ID: <CAPWNY8WH09se3ZiJOsYYNBJGzgR7wgdA0tScKq3DFxRnEjCWBg@mail.gmail.com> (raw)
In-Reply-To: <D1834A80-1F31-4F16-9AC2-E6004E3AE4E6@cogs.com>
[-- Attachment #1: Type: text/plain, Size: 1810 bytes --]
On Tue, Nov 6, 2018, 01:32 Ben Greenfield via TUHS <tuhs@minnie.tuhs.org>
wrote:
>
>
> > On Nov 5, 2018, at 2:36 PM, Grant Taylor via TUHS <tuhs@minnie.tuhs.org>
> wrote:
> >
> > On 11/05/2018 12:24 AM, Mantas Mikulėnas wrote:
> >> Let the client handle authentication via Kerberos
> >
> > I don't know enough about Kerberos (yet) to know if it would be possible
> for a login process to communicate with the KDC and get a TGT as part of
> logging in, without already being logged in.
> >
> > My ignorance is leaving me with a priming problem that seems like a
> catch 22. You can't login without shadow information or TGT. But
> traditional (simpler) kinit is run after being logged in. So ... how do
> you detangle that? The only thing that I can come up with is that the
> login process does the kinit functionality on the users behalf.
>
> I found that I had to do all of this using SASL.
>
>
> I remember it as SASL would handle the kerberization during boot up
> getting tickets for each LDAP entry that you wanted mapped to a service on
> that client.
>
Sorry but I cannot parse that sentence at all...
> I could be wrong but I think SASL seems to be way connect services on
> Linux with LDAP that are served kerberized.
>
SASL is involved somewhat, in that it does help with implementing Kerberos
– services and clients can call libsasl instead of talking Kerberos
directly, abstract away the complexity – but that's all it is, an
abstraction layer. (A quite useful one, though.)
But it's not the only method, strictly speaking (e.g. SSH and HTTP use
GSSAPI, and various older software use Kerberos directly). And as far as I
could understand the previous paragraph – it doesn't have anything specific
about "kerberization during boot up".
[-- Attachment #2: Type: text/html, Size: 2459 bytes --]
next prev parent reply other threads:[~2018-11-06 9:12 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-04 20:51 Grant Taylor via TUHS
2018-11-04 21:46 ` Ben Greenfield via TUHS
2018-11-04 22:45 ` Arthur Krewat
2018-11-04 22:58 ` Mantas Mikulėnas
2018-11-04 23:49 ` Warner Losh
2018-11-05 3:16 ` Robert Brockway
2018-11-05 6:08 ` Grant Taylor via TUHS
2018-11-05 7:24 ` Mantas Mikulėnas
2018-11-05 7:33 ` Mantas Mikulėnas
2018-11-05 16:12 ` Arthur Krewat
2018-11-05 19:32 ` Grant Taylor via TUHS
2018-11-05 22:43 ` Arthur Krewat
2018-11-06 5:25 ` Grant Taylor via TUHS
2018-11-06 16:50 ` Arthur Krewat
2018-11-06 19:43 ` Grant Taylor via TUHS
2018-11-05 19:27 ` Grant Taylor via TUHS
2018-11-05 19:36 ` Grant Taylor via TUHS
2018-11-05 21:36 ` Mantas Mikulėnas
2018-11-05 23:12 ` Grant Taylor via TUHS
2018-11-05 21:43 ` Ben Greenfield via TUHS
2018-11-06 4:58 ` Grant Taylor via TUHS
2018-11-06 12:59 ` Ben Greenfield via TUHS
2018-11-06 6:53 ` Mantas Mikulėnas [this message]
2018-11-06 13:21 ` Ben Greenfield via TUHS
2018-11-06 13:44 ` Mantas Mikulėnas
2018-11-06 14:00 ` Ben Greenfield via TUHS
2018-11-06 13:46 ` Mantas Mikulėnas
2018-11-05 22:34 ` Dan Cross
2018-11-06 5:24 ` Grant Taylor via TUHS
2018-11-06 7:07 ` Mantas Mikulėnas
2018-11-06 17:30 ` Grant Taylor via TUHS
2018-11-06 19:58 ` Mantas Mikulėnas
2018-11-06 22:24 ` Dan Cross
2018-11-07 0:35 ` Grant Taylor via TUHS
2018-11-07 11:37 ` Pete Turnbull
2018-11-07 17:30 ` Grant Taylor via TUHS
2018-11-07 22:01 ` Dave Horsfall
2018-11-08 1:48 ` Dave Horsfall
2018-11-07 23:00 ` Pete Turnbull
2018-11-07 1:03 ` Pete Turnbull
2018-11-06 12:54 ` Ben Greenfield via TUHS
2018-11-05 20:10 ` Dave Horsfall
2018-11-05 3:49 ` Larry McVoy
2018-11-05 6:12 ` Grant Taylor via TUHS
2018-11-05 19:58 ` Dave Horsfall
2018-11-05 22:53 ` Grant Taylor via TUHS
2018-11-06 1:28 ` Dave Horsfall
2018-11-05 15:44 ` Larry McVoy
2018-11-05 18:38 ` arnold
2018-11-05 19:04 ` Larry McVoy
2018-11-05 21:21 ` Noel Hunt
2018-11-07 8:58 ` arnold
2018-11-07 14:05 ` arnold
2018-11-05 20:48 ` A. P. Garcia
2018-11-05 23:07 ` Grant Taylor via TUHS
2018-11-06 1:46 ` Dan Cross
2018-11-06 5:32 ` Grant Taylor via TUHS
2018-11-06 22:29 ` Dan Cross
2018-11-07 0:40 ` Grant Taylor via TUHS
2018-11-07 1:38 ` Arthur Krewat
2018-11-06 3:03 ` Robert Brockway
2018-11-06 5:03 ` David Arnold
2018-11-06 5:34 ` Grant Taylor via TUHS
2018-11-06 23:59 Norman Wilson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPWNY8WH09se3ZiJOsYYNBJGzgR7wgdA0tScKq3DFxRnEjCWBg@mail.gmail.com \
--to=grawity@gmail.com \
--cc=ben@cogs.com \
--cc=gtaylor@tnetconsulting.net \
--cc=tuhs@minnie.tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).