[39042] in Kerberos
Re: Kerberos Server Implementation
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Jan 21 14:23:02 2022
From: Russ Allbery <eagle@eyrie.org>
To: Charles Hedrick <hedrick@rutgers.edu>
In-Reply-To: <7E724A28-77D8-4ED9-A84F-F537B122FF63@cs.rutgers.edu> (Charles
Hedrick's message of "Fri, 21 Jan 2022 18:40:18 +0000")
Date: Fri, 21 Jan 2022 11:19:16 -0800
Message-ID: <87czkkvqvf.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: "Gupta, Divyansh" <guptadiv@amazon.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Charles Hedrick <hedrick@rutgers.edu> writes:
> This is a client-server pair designed to create home directories for
> users. When you’re using kerberized NFS the normal pam_mkhomedir won’t
> work, because it assumes that root can create directories in the file
> system. With kerberized NFS, root has no special privileges. So we have
> a pam_kmkhomedir that calls a process on the file server to do the
> creation.
> If I were doing it again, I’d probably write it using GSSAPI rather than
> a basic Kerberos client / server. Then I could write the server as a web
> service in python and use libcurl on the client side. Unfortunately it
> doesn’t seem to be practical to write a pam module in anything other
> than C, but with libcurl all the GSSAPi stuff is handled by the
> library. If the client isn’t a pam module, it’s easy enough to write a
> GSSAPI client in python. (I can give you example client-server if you
> need it.)
You may also be interested in remctl, which is designed to do this sort of
thing.
https://www.eyrie.org/~eagle/software/remctl/
--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
