Re: SSSD and Kerberos tickets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/17/2010 05:02 PM, Christoph Höger wrote:
> 
>> If you had access to the school's LDAP setup (and I suspect they'd tell
>> you if you asked) SSSD does what you're looking for internally.
> 
> Neither do I have access to that LDAP (though it might be technically
> possible to connect to it, this is just not a supported use case) nor do
> I want to rely on the it infrastructure of my university for my
> workstation.
> 
>> But if I'm understanding you right, you want to just use a local login
>> and do a kinit (I don't know what 'kstart' means) when you log in.
> 
> This is exactly what I want. It seems like pam usually can do this:
> 
> http://techpubs.spinlocksolutions.com/dklar/kerberos.html#id2503053
> 
> But since fedora ships with a custom /etc/pam.d layout due to sssd
> (which, as we discussed, cannot handle that use case), I'd like to know,
> if I still (meaning with sssd in place) can apply the above mentioned
> method.
> 
> Btw: kstart is a kinit replacement that allows running arbitrary
> commands after getting tickets.
> 
> 


What makes you think that SSSD would prevent this? That PAM
configuration has nothing to do with whether you can kinit after login.

That configuration in the link you specified does EXACTLY the same thing
that SSSD does: if you log in with a username that Kerberos understands,
you immediately get a ticket. If you don't (i.e. you log in with a local
account), then you can still do 'kinit', which has nothing to do with PAM.

All you need to have set up for kinit is /etc/krb5.conf



- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxr2REACgkQeiVVYja6o6OnIgCfT6Pva3mq7pW4JCgZZXOvzCqM
B74AnA68Gm/eW0IF27CXBMtIbevaPnAW
=KLlG
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux