Kerberos Digest, Vol 13, Issue 31

[Sam Hartman]

>>>>> "Henry" == Henry B Hotz <hotz at jpl.nasa.gov> writes:

    Henry> Well, what we do here is have the LDAP server do a kinit
    Henry> against the central kerberos server for authentication.
    Henry> Native kerberos is a lot more convenient for the users, but
    Henry> you can solve the security issues without it on a
    Henry> case-by-case basis.

If that's actually what you do, then you have even bigger security
problems.  A kinit, without verifying the resulting ticket against a
host or service key is completely vulnerable to spoofed KDCs.