Kerberos Confusion / Design Questions

Rodrick Brown rodrick.brown at gmail.com
Tue Jan 10 23:25:44 EST 2006


I'm planning on deploying Sun-Kerberos with LDAP I have a few design 
questions



It seems SSO between all hosts will only work if Ievery server is added to 
each servers keytab? Right now my KDC can log into every server via 
gssapi-keyex SSO and other servers can log back into my KDC but from server 
to server this isn't possible until their keytab is updated is this by 
design?



We are running a mixture of Solaris, BSD, and Linux hosts one thing that is 
puzzling me is how to handle Kerberos access, we don't really plan to sync 
with AD so administrators and developers will log into servers using 
(putty/securecrt) as they do normally all authentication will basically be 
provided through LDAP at this point once they are on a server they can 
manually issue a kinit, or I'm guessing have pam configured to grant them a 
ticket upon login?  And from then on be free to access what ever servers 
they have authorization to through (ldap/netgroups) w/o being prompted for a 
password until their ticket has expired.



 One thing I'm worried about though is will anyone really care if there 
ticket expired if they can still access systems via LDAP authentication? 
Would it make sense to only grant access to servers from users who have a 
valid ticket? That would force every user to use Kerberos based 
authentication but if I don't sync my NT desktop accounts how will users be 
able get their tickets initially? (so confused here)



As you can tell I'm not really sure how to fit LDAP and Kerberos in together

 I know I still have a lot to learn and read up on but if anyone can just 
help me go down the right path it will save many long hours.



If anyone is doing this can you please provide some insight thanks.


-- 
Rodrick R. Brown
Forex Capital Markets - http://www.fxcm.com
http://www.rodrickbrown.com
rodrick.brown[<@>]gmail.com

When in 1986 Apple bought a Cray X-MP and announced that they would use it 
to design the next Apple Macintosh, Seymour Cray replied, "This is very 
interesting because I am using an Apple Macintosh to design the Cray-2 
supercomputer." 





More information about the Kerberos mailing list