[Samba] nslcd: kerberos vs. simple bind
steve at steve-ss.com
Wed Aug 28 11:11:19 MDT 2013
On Wed, 2013-08-28 at 18:37 +0200, Marc Muehlfeld wrote:
> I took this out of the "OpenSSH auth in SAMBA4 LDAP" thread, because it
> was drifting away from it's origin question :-)
> I played this afternoon a bit with nslcd and kerberos for extending my
> Wiki HowTo. But as more as I read, one question comes bigger and bigger:
> What are the advantages of kerberos against simple bind with DN and
> Simple bind method: Create a user, add the credentials to the root only
> readable file nslcd.conf. Done
> Kerberos: Create user, add a SPN, extract keytab, edit nslcd.conf (ok.
> This is all done only once.). But then, if I understand it right, I need
> something that renews the kerberos ticket from time to time. In your
> blog you use k5start for that. Also Fedora 19 and RHEL6 doesn't have it
> in their repositories. So something more to compile and to be ensured
> that it starts and run. :-)
> So currently I don't see what are the advantages of Kerberos and in
> which way it should be easier or anything else. :-)
> Maybe someone can give me (Kerberos beginner) some answers/hints. :-)
If you're happy with plain text passwords being passed over the network
then use them. There may be some admins that will not be able to do that
though, so. . .
You may want to kerberise it. It's very easy: you don't need to create
anything new. Just use an object you already have. You always have a
machine key for example. On the DC, you'll have to extract its keytab
but otherwise, away you go:
k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K
360 -k /tmp/nslcd.tkt &
If you need to be up more than 10 hours a day and if you don't like
k5start, cron it.
The clients already have the keytab so nothing else to do.
More information about the samba