[BBLISA] Chucking samba

Sean OMeara someara at gmail.com
Mon Apr 26 08:58:36 EDT 2010


I've been through this dance a thousand times.

The bottom line is: If you have ANY windows in the mix at all, just
suck it up and get an AD (for use as your KDC)

Why? Windows crams authorization data into the authentication ticket
and *nix doesn't.

You'll be able to get everything going with a MIT/Heimdal/whatever
realm + openldap + pam + whatever, but as soon as you go to hook
Windows into the mix, thinks will asplode.

You'll end up:
a) sneakernetting around kerberos keytabs because the kadmin rpc will not work.
b) manually(?) maintaining local security accounts on all your windows machines
c) looking for pink unicorns.

Please, please, please trust me on this one. The $2000+ you'll end up
spend on windows server licenses will easily pay for themselves by the
time you've bashed your head through a second monitor in frustration 6
months from now.

-s

On Sun, Apr 25, 2010 at 11:28 PM, Toby Burress <kurin at delete.org> wrote:
> On Sun, Apr 25, 2010 at 11:15:24PM -0400, Ian Stokes-Rees wrote:
>> OpenLDAP + 389 DS + WebMin + UserMin seem like they could do this, and
>
> Yes, this is actually what we have now, and it works very well for what
> we need.  What we don't use it for is workstation auth; if that were my
> problem I would say AD and just wait for my boss to hand me a credit card.
> But for network services, apache, etc, it's fantastic.
>
>> that is the path I've started down.  Most CMS systems (and Django, the
>> main one we're using) will play nicely with LDAP, as will Apache httpd.
>> ssh login will also be manageable via this system (of course).  I'd like
>> to be able to script ~/.ssh/authorized_keys file updates via web-based
>> user-driven public-key additions (many accounts are shared for various
>> good reasons), and similarly for X.509-based public key systems.
>
> http://code.google.com/p/openssh-lpk/ it works very well on fbsd.  I think
> for debian/ubuntu you have to build your own sshd.  No idea about Red Hat.
>
> pam_ldap lets you choose who can log into which servers with the group_dn
> directive, and sudo has ldap integration too, so this way you can entirely
> control who can log into what server with ldap.
>
> Alernatively, you could use Kerberos, as ssh supports gssapi.  I haven't
> actually tried this though.
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
>



More information about the bblisa mailing list