Re: SSSD and Kerberos tickets

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/17/2010 05:02 PM, Christoph Höger wrote:

If you had access to the school's LDAP setup (and I suspect they'd tell
you if you asked) SSSD does what you're looking for internally.

Neither do I have access to that LDAP (though it might be technically
possible to connect to it, this is just not a supported use case) nor do
I want to rely on the it infrastructure of my university for my
workstation.

But if I'm understanding you right, you want to just use a local login
and do a kinit (I don't know what 'kstart' means) when you log in.

This is exactly what I want. It seems like pam usually can do this:

http://techpubs.spinlocksolutions.com/dklar/kerberos.html#id2503053

But since fedora ships with a custom /etc/pam.d layout due to sssd
(which, as we discussed, cannot handle that use case), I'd like to know,
if I still (meaning with sssd in place) can apply the above mentioned
method.

Btw: kstart is a kinit replacement that allows running arbitrary
commands after getting tickets.




What makes you think that SSSD would prevent this? That PAM
configuration has nothing to do with whether you can kinit after login.

That configuration in the link you specified does EXACTLY the same thing
that SSSD does: if you log in with a username that Kerberos understands,
you immediately get a ticket. If you don't (i.e. you log in with a local
account), then you can still do 'kinit', which has nothing to do with PAM.

All you need to have set up for kinit is /etc/krb5.conf



- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkxr2REACgkQeiVVYja6o6OnIgCfT6Pva3mq7pW4JCgZZXOvzCqM
B74AnA68Gm/eW0IF27CXBMtIbevaPnAW
=KLlG
-----END PGP SIGNATURE-----
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Relevant Pages

  • Re: SSSD and Kerberos tickets
    ... other solution to simply run kstart from pam and querying for the ticket ... SSSD isn't going to help you in this case. ... and do a kinit (I don't know what 'kstart' means) when you log in. ... Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ ...
    (Fedora)
  • Re: [opensuse] systemd boot.local
    ... boot.local"; exit 11;} ... I tested the error condition by moving the sssd and kinit ...
    (SuSE)
  • Re: [opensuse] systemd boot.local
    ... boot.local"; exit 11;} ... I tested the error condition by moving the sssd and kinit ... At least we can take sssd out of the equation. ... But first set up your dependencies properly! ...
    (SuSE)
  • Re: SSSD and Kerberos tickets
    ... other solution to simply run kstart from pam and querying for the ticket ... SSSD isn't going to help you in this case. ... to do is write a script to include in your .bash_profile script so that ... I know that this "grep a ticket ...
    (Fedora)
  • Re: password change does not work: LDAP, sssd, nss or pam error?
    ... Hash: SHA1 ... This shouldn't make a difference in SSSD. ... please file a bug. ... Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ ...
    (Fedora)