Re: Enterprise Active Directory support question
- From: "stefan skoglund(agj)" <stefan skoglund agj net>
- To: David Woodhouse <dwmw2 infradead org>
- Cc: "gnome-integration-list gnome org" <gnome-integration-list gnome org>, Stef Walter <stefw gnome org>, desktop-devel-list <desktop-devel-list gnome org>
- Subject: Re: Enterprise Active Directory support question
- Date: Fri, 22 Feb 2013 13:13:44 +0100
mån 2013-02-11 klockan 09:52 +0000 skrev David Woodhouse:
On Mon, 2013-02-11 at 08:29 +0100, Stef Walter wrote:
In GNOME 3.6 Enterprise logins was introduced. This feature is very
attractive for enterprise deployments because it makes possible to
add GNOME workstations into Windows networks with Active Directory.
My understanding of this feature is that it only enables users to
log
on their GNOME workstations, so it doesn't enable them to use the
shared folders or network printers of their domains without login
again for every shared resource.
Well it should do those things. I know that the shared folders does
work. For example, we tested it in Fedora:
And automatic login with NTLM, and keeping a Kerberos TGT valid, are
both mostly solved problems too. Although we do need to dust that work
off and merge it.
With MIT Kerberos it is possible in /etc/krb5.conf to force checking of
the KDC but normally it means that the client process needs read access
to /etc/krb5.keytab which is only readable by root.
Which means that gnome-shell/gnome-screensaver can't check the
responding KDC when unlocking the session = a possibility of
KDC-spoofing.
Any designs for this problem which doesn't requires 'sssd' ?
One possibility is to install in a world-readable some other ticket with
only usage to permit screensaver to check KDC validity.
pam_krb5 at login time uses (i think) the host/'fqdn of client` ticket
to check KDC identify.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]