Mike MacCana wrote:
On Tue, 2005-06-21 at 10:11 -0500, Jason L Tibbitts III wrote:
"AB" == Alexander Boström <abo@xxxxxx> writes:
AB> I don't know how that works but I must say I'm very sceptical,
AB> mostly from a security standpoint. What's the advantage of doing
AB> it that way?
A single replication infrastructure. I use the MIT KDC because it's
what Red Hat happens to ship, but I'd much rather have everything in
LDAP instead of having two separate systems to configure and maintain.
So Heimdal can use an LDAP data store? Sweet. Thanks so much for your
post.
I've wanted MIT krb5 to do this (in a non hacky way) for ages.
A data abstraction layer (DAL) patch that does just that has been just
been committed to the cvs of MIT KDC.
Can Heimdal do Kerberos over TCP, and does it support MS specific
encryption types, like MIT Kerberos does?
Quoted from heimdal.info:
Encryption types
================
Windows 2000 supports both the standard DES encryptions (des-cbc-crc and
des-cbc-md5) and its own proprietary encryption that is based on MD4 and
rc4 that is documented in and is supposed to be described in
`draft-brezak-win2k-krb-rc4-hmac-03.txt'. New users will get both MD4
and DES keys. Users that are converted from a NT4 database, will only
have MD4 passwords and will need a password change to get a DES key.
Heimdal implements both of these encryption types, but since DES is the
standard and the hmac-code is somewhat newer, it is likely to work
better.
Also I believe heimdal can (or will be able to) use the LDAP attribute
"sambaNTPassword" as a arcfour-hmac-md5 kerberos key. I haven't tried
MIT KDC+DAL (or heimdal for that matter) but I guess that the raison
d'être of DAL being its possible use alongside future versions of samba,
it's likely to support the same feature.
In a related note, my hardest headache is renewing keys for users that
have home directories access via NFS4+krb5. We could not get
"gnome-kerberos" or "xscreensaver" to do it, so we keep a terminal
window open so that kinit can be run there. Am I missing something?
Also is the new kernel keyring facility planned for FC5 inclusion?
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-devel-list
