Using k5start with replacement init daemons

[Jaap Winius]

Hi all,

A while ago, I figured out how to set up Debian lenny as a Kerberos and 
LDAP client for user authentication and authorization. K5start is 
important for this, because if the workstation cannot automatically 
obtain a Kerberos ticket for itself as it boots up, it has no way to 
authenticate to the LDAP server and then check if the user also has a 
necessary LDAP account.

However, a lot of this depends on how init behaves: if it runs k5start 
before the network comes up, the process will fail and the user will not 
be able to log in. I had this experience recently with Ubuntu 10, which 
uses a replacement init, called upstart. Once I had managed to write a 
reasonable /etc/init/k5start.conf, it only seemed to work some of the 
time. Other times I would have to switch to a console screen and run 
"initctl start k5start" manually before I could log in. Even worse, 
sometimes upstart even failed to start up the getty processes for the 
consoles, forcing me to first use another machine to ssh to the 
workstation to start up kstart (and maybe a getty). Has anyone managed to 
configure k5start to work on Ubuntu 10 (lucid) with upstart?

And if that's not bad enough, what can be done for all those laptop users 
out there who are used to managing their network connections from their 
desktops? In such cases, there may not be a network connection until 
after they log in. Personally, I'd first login as root, establish the 
appropriate network connection from the command line and then run k5start 
before switching back to xdm, gmd, or kdm, but that's not something we 
can expect normal users to feel comfortable with. All I can think of is 
that something be built into xdm, gdm and kdm to allow the network 
connections (including wireless) to be managed before users log in.

Cheers,

Jaap