On Fri, 2004-09-24 at 17:07, Stephen J. Smoogen wrote: > What I have been trying to do is get our laptops set up so that they > can get kerberos tickets if they are on the domain, and not to get > them if they are not. The problem is currently most seen in > When the laptop is plugged into the network and a local password is > used the access occurs. When I unplug the box but move the settings to > even optional.. it just sits for 2 minutes and login times out. We added a new pam module in FC3 called pam_ccreds from PADL software. "CCreds" stands for "Cached Credentials". This may do what you want. The pam ccreds (Cached Credentials) is an optional pam module that would only be turned on by explicit root configuration. It works by caching in an encrypted form the credentials from a successful login. The encrypted cache is readable only by root making it equivalent to the shadow mechanism. The idea is that if an organization is using server based authentication (e.g. NIS or LDAP) and the user disconnects from his network he should still be able to login to his notebook. The cache is only consulted if a server based pam module reports its server is unavailable. If a server while connected ever reports a positive NAK on authentication the users cached credentials are immediately flushed, this means a user does not have unlimited future ability to authenticate if his privileges are revoked on his network. He can only authenticate while disconnected and only if the previous connected authentication was successful. This provides a good trade off between security and practical real world access for mobile users. There are few additional issues you will need to take into account: 1) authconfig needs to be patched to support ccreds, I don't think that patch made it into FC3. 2) User id information (e.g. nsswitch) still has to come from some place. If its currently network served you'll have problems. Rumor has it that FC3 picked up support for caching this, but at the immediate moment I'd don't have the details at my fingertips. 3) Home dirs will have to be local (we are in the process of adding support for home dir caching). 4) The network timeouts for the krb server won't occur if the network is turned off as opposed to unavailable (e.g. service network stop). There was a bug in the pam_krb5 which returned the wrong error code when the krb server was unavailable, it used to return "authentication failure" instead of the correct "server unavailable". That was fixed and I'm pretty sure is in FC3. -- John Dennis <jdennis@xxxxxxxxxx>
