[NTLUG:Discuss] Kerberos and Linux

Robert Pearson e2eiod at gmail.com
Sat Jan 28 19:09:08 CST 2006 

On 1/28/06, Leroy Tennison <leroy_tennison at prodigy.net> wrote:
> Before I do a lot of research for nothing, can kerberos not only be an
> authentication system for Linux but also provide local uid/gid's for the
> system?  What I'm looking for is something like what LDAP can do where
> the local system doesn't have to have a user ID in order for someone to
> log in.  I'm trying to get to a more centralized approach to user/group
> management like the PC NOSes have.  Thanks for your input.  Other secure
> alternatives would be worth hearing about as well.

>From another mailing list.
This builds on the previous replies to your question.

> > Someone asked me this question the other day:
> >
> > Which open source product is an "Active Directory" equivalent that can do
> > user authentication and also allow users to get access to their files and
> > also set permissions accordingly, or perhaps even printers?
>
> While everyone's answer is probably addressing the point of your
> files/printers sharing question, AD is actually a directory service and
> ticket based authentication & authorization system. Or to be more precise, AD
> = LDAP + Kerberos. The SAMBA happens to give you the NetBIOS type services
> and Windows-ish (with optional AD integration) authentication (in the strict
> sense), or is just the thing to use if you want "Windows like" Printer/file
> sharing.

Translated into English, what Tom said was:  "Samba + LDAP + Kerberos
will give you a nice, rough approximation of AD".  But not everything,
and I guarantee that the Windows mavens in the office are going to find
something to cry about not having.  :)

Personally, I don't like the idea of Kerberos from a security
standpoint, and think it's better left out of the equation.

For LDAP, you have two viable choices... openldap and as someone else
mentioned Fedora's Directory Server.  The bad news is that neither one
is anywhere close to being easy to understand nor setup.  The good news
is once you figure it out and find some tools to manage the LDAP server,
life will get much, much simpler as you'll have an openstandard that
just about any OS, application, or appliance can interface (plug in a
radius or tacacs server somewhere in the chain and you can centralize
authorization and authentication for the entire organization).

Pretty neat stuff if you're trying to herd a couple hundred users and 30
different services.  :)

--
Kelley Spoon <kell at spoonix.com>
Spoonix, LLC  http://www.spoonix.com/

More information about the Discuss mailing list