On Thu, Nov 29, 2007 at 10:57:58AM +0100, Sebastian Hagedorn wrote: > > --On 28. November 2007 19:40:22 -0600 Gary Mills <mills@xxxxxxxxxxxxxxx> > wrote: > > >We have a central database that contains Unix, NTLM, and SASL > >passwords, permitting single-password signons for Unix and Windows > >desktops, and for Cyrus IMAP. I'd like to add Kerberos to this mix, > >but only for IMAP authentications initially. This would permit > >single-signon from Unix IMAP clients like mutt and pine, and > >especially from a webmail application using pubcookie for > >authentication. I'd like Kerberos to use the same passwords, rather > >than supporting another password database. Is anybody doing this? Is > >it even possible? > > I don't think so, but I could be wrong. > > >If not, would it be possible to keep them > >synchronized? > > Well, I would assume that your "SASL passwords" are actually plain text, > right? If you have the the actual passwords you can of course keep two > databases in sync. We do something similar. There's a cron job that runs > once per hour and handles deltas. Yes, that's correct, although they're not stored that way in the account database. I'm pleased to hear that that works. I may decide to do the same thing. We use PAM exclusively. I notice that Solaris has a pam_krb5_migrate module that will populate the Kerberos database when users don't already have Kerberos passwords. That provides another way to do it. -- -Gary Mills- -Unix Support- -U of M Academic Computing and Networking-
