[NTLUG:Discuss] Kerberos and Linux

Leroy Tennison leroy_tennison at prodigy.net
Sun Feb 5 05:39:29 CST 2006 

Robert Pearson wrote:

>On 1/28/06, Leroy Tennison <leroy_tennison at prodigy.net> wrote:
>  
>
>>Before I do a lot of research for nothing, can kerberos not only be an
>>authentication system for Linux but also provide local uid/gid's for the
>>system?  What I'm looking for is something like what LDAP can do where
>>the local system doesn't have to have a user ID in order for someone to
>>log in.  I'm trying to get to a more centralized approach to user/group
>>management like the PC NOSes have.  Thanks for your input.  Other secure
>>alternatives would be worth hearing about as well.
>>    
>>
>
>>From another mailing list.
>This builds on the previous replies to your question.
>
>  
>
>>>Someone asked me this question the other day:
>>>
>>>Which open source product is an "Active Directory" equivalent that can do
>>>user authentication and also allow users to get access to their files and
>>>also set permissions accordingly, or perhaps even printers?
>>>      
>>>
>>While everyone's answer is probably addressing the point of your
>>files/printers sharing question, AD is actually a directory service and
>>ticket based authentication & authorization system. Or to be more precise, AD
>>= LDAP + Kerberos. The SAMBA happens to give you the NetBIOS type services
>>and Windows-ish (with optional AD integration) authentication (in the strict
>>sense), or is just the thing to use if you want "Windows like" Printer/file
>>sharing.
>>    
>>
>
>Translated into English, what Tom said was:  "Samba + LDAP + Kerberos
>will give you a nice, rough approximation of AD".  But not everything,
>and I guarantee that the Windows mavens in the office are going to find
>something to cry about not having.  :)
>
>Personally, I don't like the idea of Kerberos from a security
>standpoint, and think it's better left out of the equation.
>
>For LDAP, you have two viable choices... openldap and as someone else
>mentioned Fedora's Directory Server.  The bad news is that neither one
>is anywhere close to being easy to understand nor setup.  The good news
>is once you figure it out and find some tools to manage the LDAP server,
>life will get much, much simpler as you'll have an openstandard that
>just about any OS, application, or appliance can interface (plug in a
>radius or tacacs server somewhere in the chain and you can centralize
>authorization and authentication for the entire organization).
>
>Pretty neat stuff if you're trying to herd a couple hundred users and 30
>different services.  :)
>
>--
>Kelley Spoon <kell at spoonix.com>
>Spoonix, LLC  http://www.spoonix.com/
>
>_______________________________________________
>https://ntlug.org/mailman/listinfo/discuss
>
>  
>
Thanks for mentioning Fedora Directory Services, I didn't know it 
existed and will at least have to look at it.  What you mentioned 
(Samba+LDAP+Kerberos) is exactly the complexity I'm trying to avoid, 
unfortunately that may not be possible and I consider that an area where 
the Open Source "world" needs to improve if it is going to be considered 
for anything other than small LANs.

I had heard some bad things about Kerberos security but don't really 
know what they are, can you provide a high-level overview?  Thanks.

More information about the Discuss mailing list