[OpenAFS] pam_afs_session and winbind
Ben Howell
howellbp@gmail.com
Thu, 30 Aug 2012 19:12:44 -0500
This is a multi-part message in MIME format.
--------------030806040805030307080107
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
That's part of the default krb5.conf, specifying kdc = hostname, as well
as master_kdc, etc. for ever host that serves as KDC. I do have SRV
records in place, and I know that from our old implementation that SRV
lookups DO work the way they're supposed to, but I'm not paid enough to
argue with execs. :P
I suppose I could just implement it in the way that actually works and
hope no one notices.
- Ben
On 8/30/12 7:06 PM, Brandon Allbery wrote:
> On Thu, Aug 30, 2012 at 7:54 PM, Ben Howell <howellbp@gmail.com
> <mailto:howellbp@gmail.com>> wrote:
>
> While this is true, people who get paid a lot more than I do
> decided we shouldn't be pointing authentication to individual
> machines and instead use domain lookups, which winbind does
> nicely. I was able to replicate the old functionality by pointing
> the pam stack directly to dc01.domain.com
> <http://dc01.domain.com>, but that defeats the purpose of having a
> decentralized authentication system.
>
>
> Any Kerberos implementation worth its salt should be able to use SRV
> lookups, which Active Directory supports, to autodiscover the KDCs.
> Moreover, even when explicit specification is necessary, you do not
> normally specify them in the PAM stack but in /etc/krb5.conf.
>
> Where (which module) and why are you having to specify KDC machines
> within/as part of the PAM stack?
>
> --
> brandon s allbery allbery.b@gmail.com <mailto:allbery.b@gmail.com>
> wandering unix systems administrator (available) (412) 475-9364 vm/sms
>
--------------030806040805030307080107
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
That's part of the default krb5.conf, specifying kdc = hostname, as
well as master_kdc, etc. for ever host that serves as KDC. I do have
SRV records in place, and I know that from our old implementation
that SRV lookups DO work the way they're supposed to, but I'm not
paid enough to argue with execs. :P<br>
<br>
I suppose I could just implement it in the way that actually works
and hope no one notices.<br>
<br>
- Ben<br>
<br>
<div class="moz-cite-prefix">On 8/30/12 7:06 PM, Brandon Allbery
wrote:<br>
</div>
<blockquote
cite="mid:CAKFCL4XDqXWonfZmu_XUY1HnzsEw2pzMU=8v73OenCQ4aq_H=w@mail.gmail.com"
type="cite">
<div dir="ltr">On Thu, Aug 30, 2012 at 7:54 PM, Ben Howell <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:howellbp@gmail.com" target="_blank">howellbp@gmail.com</a>></span>
wrote:<br>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
While this is true, people who get paid a lot more than I do
decided we shouldn't be pointing authentication to
individual machines and instead use domain lookups, which
winbind does nicely. I was able to replicate the old
functionality by pointing the pam stack directly to <a
moz-do-not-send="true" href="http://dc01.domain.com"
target="_blank">dc01.domain.com</a>, but that defeats the
purpose of having a decentralized authentication system. </blockquote>
<div><br>
</div>
<div>Any Kerberos implementation worth its salt should be able
to use SRV lookups, which Active Directory supports, to
autodiscover the KDCs. Moreover, even when explicit
specification is necessary, you do not normally specify them
in the PAM stack but in /etc/krb5.conf.</div>
<div><br>
</div>
<div>Where (which module) and why are you having to specify
KDC machines within/as part of the PAM stack?</div>
<div><br>
</div>
</div>
-- <br>
brandon s allbery <a
moz-do-not-send="true" href="mailto:allbery.b@gmail.com"
target="_blank">allbery.b@gmail.com</a><br>
wandering unix systems administrator (available) (412)
475-9364 vm/sms<br>
<br>
</div>
</blockquote>
<br>
</body>
</html>
--------------030806040805030307080107--