From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: tuhs-bounces@minnie.tuhs.org X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: * X-Spam-Status: No, score=1.2 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE,SUBJ_ALL_CAPS autolearn=no autolearn_force=no version=3.4.2 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 08520934 for ; Tue, 6 Nov 2018 09:12:18 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id 2ED38A242E; Tue, 6 Nov 2018 19:12:17 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id 2BD11A22EC; Tue, 6 Nov 2018 19:11:44 +1000 (AEST) Received: by minnie.tuhs.org (Postfix, from userid 112) id D6311A22EA; Tue, 6 Nov 2018 16:54:17 +1000 (AEST) Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com [209.85.167.177]) by minnie.tuhs.org (Postfix) with ESMTPS id 1E7ECA2162 for ; Tue, 6 Nov 2018 16:54:11 +1000 (AEST) Received: by mail-oi1-f177.google.com with SMTP id c25-v6so9855830oiy.0 for ; Mon, 05 Nov 2018 22:54:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xlwU89rCgiyVckE5NGY/Nxcfz+vodxe7Gyn7hOdyyDg=; b=qokizb+vZOjGX9OUuZkQAudrR2viqxnJN8Vfnrvzk0h5wl7TNomlQzKYUEObyBq2Ac v5ZWqAbVJ/JuL5Qz8liqcQfD85vLRi1HR+pASBIgAuER53KeS0NtADX4eyCWdTV9njkq LmQGbzYHBXFz5eZeIrhrcbHzEzjPC7yZiWJaZBj3BUj+zMMTMSLn88PsScwFVVUSCkH8 qAIMwWcLtJkfbC6rUAxkLAxi7q947WGnR+LvM9ioYCugng2YcF+ANLNSmtMOkOa4fnC7 6quREKCNpVslmoRYFZ96Ac10mvIZaWhnKWJ8JDeXHa2nv5tmMZfc3N+fehKyemO5ZRE/ 5w7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xlwU89rCgiyVckE5NGY/Nxcfz+vodxe7Gyn7hOdyyDg=; b=VmcPH7HHUifBScImdCkAajZi2sFEy+ZlWX5gv0R7Tw6ZFAHsAdmRqENQ1pSf1X/Doe Z46FReQKvpqAWJDJzcUS4F8rUHtVjp+Lkp+phD4PTJKF+jpyzd3Bfxd/F+yicg0pG7ll Ed0yul61PcC9iohYKLvRxi5jbmGFN1jaG3pSAgiw/UTe2RIBEdIzyPimI6aAturNFxe4 GFk8fUCCWn4JWWDO5PIb2F8dQlNYvtOaUm4eaElSRSeQfylHMWIevWuMiNiE0HcPlO07 f1Jv/CLDjWySirAhiO3M+opm4f/PMRP/ZRwU2ExJ+1lreuppg+reij2UTph6uixRGQYl 3tVg== X-Gm-Message-State: AGRZ1gIKz5p3rE20fVzFqYRPjxOUF75IO2bb62w22i5FlfDTsJ5t3cdL JZ0wtrFRhMJUPfsP0EzrFuiiOn0vSlSaDRUubF8= X-Google-Smtp-Source: AJdET5dBzA1sUsjjh1b+PRkIA9mNxu7Z9ADaKiATBS+mhgZrarbFKKYUaSu86hBBwTY4LkMiLqUimr0QKkU41wHDNI8= X-Received: by 2002:aca:853:: with SMTP id 80-v6mr14048115oii.333.1541487250269; Mon, 05 Nov 2018 22:54:10 -0800 (PST) MIME-Version: 1.0 References: <0289fa26-d157-8a65-389e-61dd7a01fcc4@spamtrap.tnetconsulting.net> In-Reply-To: From: =?UTF-8?Q?Mantas_Mikul=C4=97nas?= Date: Tue, 6 Nov 2018 08:53:58 +0200 Message-ID: To: ben@cogs.com Content-Type: multipart/alternative; boundary="000000000000fa6d480579f977fe" Subject: Re: [TUHS] YP / NIS / NIS+ / LDAP X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: tuhs@minnie.tuhs.org, gtaylor@tnetconsulting.net Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" --000000000000fa6d480579f977fe Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Nov 6, 2018, 01:32 Ben Greenfield via TUHS wrote: > > > > On Nov 5, 2018, at 2:36 PM, Grant Taylor via TUHS > wrote: > > > > On 11/05/2018 12:24 AM, Mantas Mikul=C4=97nas wrote: > >> Let the client handle authentication via Kerberos > > > > I don't know enough about Kerberos (yet) to know if it would be possibl= e > for a login process to communicate with the KDC and get a TGT as part of > logging in, without already being logged in. > > > > My ignorance is leaving me with a priming problem that seems like a > catch 22. You can't login without shadow information or TGT. But > traditional (simpler) kinit is run after being logged in. So ... how do > you detangle that? The only thing that I can come up with is that the > login process does the kinit functionality on the users behalf. > > I found that I had to do all of this using SASL. > > > I remember it as SASL would handle the kerberization during boot up > getting tickets for each LDAP entry that you wanted mapped to a service o= n > that client. > Sorry but I cannot parse that sentence at all... > I could be wrong but I think SASL seems to be way connect services on > Linux with LDAP that are served kerberized. > SASL is involved somewhat, in that it does help with implementing Kerberos =E2=80=93 services and clients can call libsasl instead of talking Kerberos directly, abstract away the complexity =E2=80=93 but that's all it is, an abstraction layer. (A quite useful one, though.) But it's not the only method, strictly speaking (e.g. SSH and HTTP use GSSAPI, and various older software use Kerberos directly). And as far as I could understand the previous paragraph =E2=80=93 it doesn't have anything = specific about "kerberization during boot up". --000000000000fa6d480579f977fe Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Nov 6,= 2018, 01:32 Ben Greenfield via TUHS <tuhs@minnie.tuhs.org> wrote:


> On Nov 5, 2018, at 2:36 PM, Grant Taylor via TUHS <tuhs@minnie.tuhs.org> wrot= e:
>
> On 11/05/2018 12:24 AM, Mantas Mikul=C4=97nas wrote:
>> Let the client handle authentication via Kerberos
>
> I don't know enough about Kerberos (yet) to know if it would be po= ssible for a login process to communicate with the KDC and get a TGT as par= t of logging in, without already being logged in.
>
> My ignorance is leaving me with a priming problem that seems like a ca= tch 22.=C2=A0 You can't login without shadow information or TGT.=C2=A0 = But traditional (simpler) kinit is run after being logged in.=C2=A0 So ... = how do you detangle that?=C2=A0 The only thing that I can come up with is t= hat the login process does the kinit functionality on the users behalf.

I found that I had to do all of this using SASL.


I remember it as SASL would handle the kerberization during boot up getting= tickets for each LDAP entry that you wanted mapped to a service on that cl= ient.

Sorry but I cannot parse th= at sentence at all...


I could be wrong but I think SASL seems to be way connect services on Linux= with LDAP that are served kerberized.
=C2=A0
SASL is involved somewhat, in that it does help with implementing K= erberos =E2=80=93 services and clients can call libsasl instead of talking = Kerberos directly, abstract away the complexity =E2=80=93 but that's al= l it is, an abstraction layer. (A quite useful one, though.)

=
But it's not the only method, strictly speaking (e.g. SSH an= d HTTP use GSSAPI, and various older software use Kerberos directly). And a= s far as I could understand the previous paragraph =E2=80=93 it doesn't= have anything specific about "kerberization during boot up".


--000000000000fa6d480579f977fe--