Hi there, On Do 06 Jan 2011 12:24:02 CET Petter Reinholdtsen wrote:
[Andreas B. Mundt]We want kerberos, but we don't want to get rid of old structures. So we open one more field of activity, split forces and everybody maintains and improves what he knows or prefers or whatever, thereby, from time to time, breaking the stuff of the colleague. Perhaps we can (and should) improve that point too.What old structures are you talking about? We have switched all user login authentication from LDAP to Kerberos (except Gosa, which seem incapable of using Kerberos for user authentication), and I am not aware of anything but Gosa using LDAP authentication now.
With kerberos it is quite nice to have a running saslauthd running on the system. Some service still have no direct kerberos integration but can authenticate against libsasl2. With saslauthd you can persuade LDAP to pass the authentication requests on to saslauthd which then asks KDC for a ticket... Authentication to LDAP then is successful if the the ticket has been granted.
Same applies for other services (e.g. postfix, cyrus, ...).
However, to come back to the issue, the next step concerning kerberos would be to switch to nfs4.I assume you are talking about user home directories and shared folders, and not the LTSP root mount, because LTSP do not support NFS4 yet, and Kerberos based mounting is not really sensible for stateless machines.
Doesn't LTSP use NBD? It's quite a while ago that I setup my test LTSP scenario, but from what I read the general opinion was that NBD is preferable to NFS.
In the school where I run the NFS4+Krb5 setup I provide automounted homedirs with sec=krb5p for teachers, sec=krb5i for students. I also provide group directories automounted via NFS (teachers-only groups sec=krb5p, students-only or students+teachers groups sec=krb5i). There also is a transfer NFS share that uses sec=sys.
What I want to say: It simply depends on your /etc/exports file: /exports server.domain(fsid=0,sec=sys:krb5:krb5i:krb5p,...) /exports/home server.domain(rw,nohide,sec=krb5p,...) /exports/transfer server.domain(rw,nohide,sec=sys,...)Note the sec=sys:krb5:krb5i:krb5p syntax in the first line... With this syntax you become able to mix NFS4+Krb5 security models.
So we will end up with NFS3 and and NFS4 if we get NFS4 working for home directories.
What is it that does not support NFS4 for LTSP? Again the question why NFS3 is preferred to NBD (there probably is a good reason, I merely ask to understand it).
But I would love ot get user home directory mounting away from netgroup and IP based authentication.
Is there a reader that explains how that is implemented currently?
To me the next step with Kerberos would be to get Gosa, CUPS and Nagios to use Kerberos tickets when logging in to get rid of the last LDAP authentication user and ensure single signon for more services.
For services without implicit libkrb5 support... again... saslauthd... Regards and greetings, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
pgpMUTqVGDXqH.pgp
Description: Digitale PGP-Unterschrift
