Kerberos Confusion / Design Questions
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Thu Jan 12 17:37:44 EST 2006
Rodrick Brown wrote:
> I'm planning on deploying Sun-Kerberos with LDAP I have a few design
> questions
>
>
>
> It seems SSO between all hosts will only work if Ievery server is
> added to each servers keytab? Right now my KDC can log into every
Wrong. The only keys that should be in a keytab are the ones
for the host that owns that keytab.
> server via gssapi-keyex SSO and other servers can log back into my
> KDC but from server to server this isn't possible until their keytab
> is updated is this by design?
I think you have something misconfigured.
>
> We are running a mixture of Solaris, BSD, and Linux hosts one thing
> that is puzzling me is how to handle Kerberos access, we don't really
> plan to sync with AD so administrators and developers will log into
> servers using (putty/securecrt) as they do normally all
> authentication will basically be provided through LDAP at this point
> once they are on a server they can manually issue a kinit, or I'm
> guessing have pam configured to grant them a ticket upon login? And
> from then on be free to access what ever servers they have
> authorization to through (ldap/netgroups) w/o being prompted for a
> password until their ticket has expired.
All of the above mentioned systems should interoperate just fine.
You can use native Kerberos authentication (or GSSAPI) for
services that support it such as the rlogin/rsh/rcp/telnet/ftp clients
in the MIT distribution or delivered in Solaris 10. For services
that do not do native Kerberos authentication, you can configure
them to use PAM with the krb5 module in the stack so they will
get a kerberos ticket automatically when they login with the correct
password. You could also do the authentication with LDAP and force
people to use "kinit", but that seems to be putting more burden on the
users than necessary if you already have a working kerberos
infrastructure and access to PAM.
> One thing I'm worried about though is will anyone really care if
> there ticket expired if they can still access systems via LDAP
> authentication? Would it make sense to only grant access to servers
I think noone will notice or care until they try to access a service that
requires Kerberos authentication.
> from users who have a valid ticket? That would force every user to
> use Kerberos based authentication but if I don't sync my NT desktop
> accounts how will users be able get their tickets initially? (so
> confused here)
Where does NT come into the picture, you said you had Solaris, BSD,
and Linux ? Is it truly "Windows NT" or is it Windows 2000/2003/XP ?
The difference is that the latter have native support for Kerberos and
the former does not - unless you install Kerberos for Windows (KfW).
> As you can tell I'm not really sure how to fit LDAP and Kerberos in
> together
There are different ways of doing this, it really depends on your
network architecture and what tools you are planning to use.
If you are using an Active Directory server as the KDC, then
you already get the LDAP integration and its a bit easier (but there
are drawbacks as well). If you are going to use one of the Unix variants
as the KDC, then you will have to do some extra steps to get LDAP and
Kerberos integrated cleanly across all of your platforms.
> I know I still have a lot to learn and read up on but if anyone can
> just help me go down the right path it will save many long hours.
Google is your friend for stuff like this. I don't have direct links to
any documentation, but I'll bet there is some out there.
Likewise, Microsoft has quite a bit of documentation on setting up
Kerberos and interoperating with Unix platforms.
-Wyllys
More information about the Kerberos
mailing list