[OpenAFS] pam_afs_session and winbind

Brandon Allbery allbery.b@gmail.com
Thu, 30 Aug 2012 20:06:29 -0400 

--485b397dd3ef5c29aa04c884909f
Content-Type: text/plain; charset=UTF-8

On Thu, Aug 30, 2012 at 7:54 PM, Ben Howell <howellbp@gmail.com> wrote:

> While this is true, people who get paid a lot more than I do decided we
> shouldn't be pointing authentication to individual machines and instead use
> domain lookups, which winbind does nicely. I was able to replicate the old
> functionality by pointing the pam stack directly to dc01.domain.com, but
> that defeats the purpose of having a decentralized authentication system.


Any Kerberos implementation worth its salt should be able to use SRV
lookups, which Active Directory supports, to autodiscover the KDCs.
 Moreover, even when explicit specification is necessary, you do not
normally specify them in the PAM stack but in /etc/krb5.conf.

Where (which module) and why are you having to specify KDC machines
within/as part of the PAM stack?

-- 
brandon s allbery                                      allbery.b@gmail.com
wandering unix systems administrator (available)     (412) 475-9364 vm/sms

--485b397dd3ef5c29aa04c884909f
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">On Thu, Aug 30, 2012 at 7:54 PM, Ben Howell <span dir=3D"l=
tr">&lt;<a href=3D"mailto:howellbp@gmail.com" target=3D"_blank">howellbp@gm=
ail.com</a>&gt;</span> wrote:<br><div class=3D"gmail_quote"><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;pa=
dding-left:1ex">
While this is true, people who get paid a lot more than I do decided we sho=
uldn&#39;t be pointing authentication to individual machines and instead us=
e domain lookups, which winbind does nicely. I was able to replicate the ol=
d functionality by pointing the pam stack directly to <a href=3D"http://dc0=
1.domain.com" target=3D"_blank">dc01.domain.com</a>, but that defeats the p=
urpose of having a decentralized authentication system. </blockquote>
<div><br></div><div>Any Kerberos implementation worth its salt should be ab=
le to use SRV lookups, which Active Directory supports, to autodiscover the=
 KDCs. =C2=A0Moreover, even when explicit specification is necessary, you d=
o not normally specify them in the PAM stack but in /etc/krb5.conf.</div>
<div><br></div><div>Where (which module) and why are you having to specify =
KDC machines within/as part of the PAM stack?</div><div><br></div></div>-- =
<br>brandon s allbery =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0<a href=3D"mailto:allbery.b@gmail.com" target=3D"_blank">allbery.b@gm=
ail.com</a><br>
wandering unix systems administrator (available) =C2=A0 =C2=A0 (412) 475-93=
64 vm/sms<br><br>
</div>

--485b397dd3ef5c29aa04c884909f--