NIS => Kerberos/LDAP Migration
Russ Allbery
rra at stanford.edu
Wed Aug 15 15:16:08 EDT 2007
Tim Schaab <tim at geology.wisc.edu> writes:
> Now that problem is solved, another pokes up. The logins hang and
> timeout. It looks like the module gets it's ticket from the kdc, but
> then hangs tying to talk to kadmin. There is nothing in the kadmin log
> about a pam connection attempt at all. It is the same problem I saw
> trying to use the heimdal kadmin client on a MIT kadmin server. When a
> command is issued, it hangs.
> My belief is that using the remote kadmin part of pam-krb5-migrate is
> incompatible with a MIT kadmin server.
Yes, this is correct. Heimdal and MIT use completely different kadmin
protocols.
> The next step would be to try the local db support. Though if it's using
> heimdal and we are using MIT, are the local DBs compatible?
> Another option would be to run a heimdal kadmin server during the
> transition. Once again though, I am not sure this would work unless they
> both use the same db format.
I'm fairly sure the databases are not compatible either, although I
suppose I could be pleasantly surprised.
Ideally, MIT would provide a public API for their kadmin functions so that
you could modify the PAM module to use that. Unfortunately MIT Kerberos
doesn't provide a public API. You can prototype the functions yourself
and hope that they don't change, or you can do something ugly like call
the kadmin client via the Perl Expect module, or you can use the Perl
kadmin module that prototypes the functions itself and hopes they don't
change.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list