[14652] in Kerberos
RE: UID's and GID's ?
daemon@ATHENA.MIT.EDU (Mayers, Philip J)
Wed Jul 11 10:54:28 2001
Message-ID: <A0F836836670D41183A800508BAF190B35E80F@icex1.cc.ic.ac.uk>
From: "Mayers, Philip J" <p.mayers@ic.ac.uk>
To: "'erebus00j_2@yahoo.com'" <erebus00j_2@yahoo.com>, kerberos@mit.edu
Date: Wed, 11 Jul 2001 15:50:25 +0100
MIME-Version: 1.0
Content-Type: text/plain
Nothing - Kerberos is *totally* authentication. Things like getpwnam and
getpwuid (looking up users by name or UID) are the responsibility of the NSS
(Name Service Switch on Solaris/Linux and IRS on *BSD).
So, most login programs work like this:
get username,password
authenticate(username,password) -> passes to Kerberos via e.g. PAM
uid,gid,homedir,loginshell = getpwnam(username)
setgid(gid)
initgroups(username)
setuid(uid)
chdir(homedir)
exec(loginshell)
Kerberos will do the second step - for anything else, you need something
like NIS/NIS+/LDAP (preferably)
for a centralised database, or local files for a local database.
Note that there's an optional way to do this:
get username,password
mappedusername = authenticate(username,password) -> passes to Kerberos via
e.g. PAM
uid,gid,homedir,loginshell = getpwnam(mappedusername)
setgid(gid)
initgroups(mappedusername)
setuid(uid)
chdir(homedir)
exec(loginshell)
This allows you to implement "template" users - e.g. for a shell-account
machine which is just used for changing password etc., all users can be
logged in as "nobody" (make sure to set TMP differently, ideally chroot
them), so they have identical local (Unix) credentials but different
kerberos creds. Useful on occasion.
Hope that clears things up.
Regards,
Phil
+----------------------------------+
| Phil Mayers, Network Support |
| Centre for Computing Services |
| Imperial College |
+----------------------------------+
-----Original Message-----
From: erebus00j_2@yahoo.com [mailto:erebus00j_2@yahoo.com]
Sent: 11 July 2001 04:08
To: kerberos@MIT.EDU
Subject: UID's and GID's ?
I am very new to the conceptual functionality of kerberos. If I were to
implement a KDC server and I had various unix machines authenticating to
that server, what happens to the /etc/passwd (and/or /etc/shadow) files? If
the unix machines are authenticating against the KDC, then are the UID's
still stored in /etc/passwd or does the kerberos database keep track? The
former doesn't seem likely, since every unix machine would have to have an
update copy /etc/passwd (like in the old old unix days). I have not gone
ahead with a kerberos installation yet, and maybe when I do, this point will
seem blissfully ignorant, but I have not read anything in any kerberos
documenation about UID's and how they are maintained across machines.
Am looking at this completely wrong? Any information would be appreciated to
set me on the right path if so. ;)
Thanks.
