Alexander Boström wrote: >> - Heimdal's KDC, > > I have Heimdal and Arla RPM:s that I've been meaning to try to get into > Extras. See http:/ayo.sys.kth.se/kth/linux/4/i386/krbafs/ . (Binaries > for RHEL4, but the SRPMS works with FC3 at least.) I tried ARLA's Heimdal binaries before building it from sources, but they were built without the LDAP backend or something like that. By the way, integrating Heimdal in Fedora isn't as trivial as I had guessed. Heimdal's libkrb5 doesn't appear to be binary compatible with the MIT version, and many libraries such as libkrb5support and libgssapi_krb5 don't even exist. Heimdal uses a few encryptations that clients linked against the MIT libraries don't seem to support. Actually, I'm not sure how to fix this as I couldn't find clear documentation about supported encryptation methods and how to configure the server and client side to negotiate a commonly supported method. Maybe I just need to study Kerberos a bit harder. >> configured with the LDAP backend. > > I don't know how that works but I must say I'm very sceptical, mostly > from a security standpoint. What's the advantage of doing it that way? The main advantage is that you can add/remove/edit an user account and its associated security information from a single place. I was also pleased to discover that Heimdal can (ab)use NT hashes stored in sambaSamAccount objects, so I can just use "smbpasswd" or even Windows tools to edit POSIX, Samba and Kerberos passphrases at the same time. Security is just as bad as letting Samba access the LDAP database. I' musing the ldapi:// method with a socket accessible to root only. I prefer this over storing the LDAP manager password in a secret file, although ldapi doesn't allow me to split Samba, LDAP and KDC on different servers. Using SASL GSSAPI wouldn't be an option, as Kerberos can't use itself to authenticate to the LDAP service :-) >> - I couldn't get password-less IMAP to work with >> courier-imap because of limited SASL support. >> Maybe I'd be more lucky with cyrus-imap > > Cyrus-IMAPd + Heimdal and Evolution + MIT-KRB play along nicely. I use qmail as an MTA, and last time I checked cyrus-imapd didn't support Maildir. -- // Bernardo Innocenti - Develer S.r.l., R&D dept. \X/ http://www.develer.com/ -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list
