[29010] in Kerberos
Re: Password Syncing to Kerberos using SFU's ssod
daemon@ATHENA.MIT.EDU (Javier Palacios)
Thu Jan 10 13:49:51 2008
Message-ID: <a64bf030801101048k3bb22d3byfaee0d3b50264be1@mail.gmail.com>
Date: Thu, 10 Jan 2008 19:48:57 +0100
From: "Javier Palacios" <javiplx@gmail.com>
To: Colin.Simpson@iongeo.com
In-Reply-To: <1199895123.29510.19.camel@cowie.iouk.ioroot.tld>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> So I was looking for alternatives. MS's SFU ssod looks ok but only
> supports NIS password changes (out of the box). I don't suppose anyone
> has changed ssod to support Kerberos password changes.
I guess you already have an AD, so you don't need either CEDAR nor
password sync. The only thing you need is the schema extension from
SFU (not the NIS thing). Using pam-krb5 and nss-ldap will give you a
high degree of integration, at least as good as with any password
replication and much easier. If you want to turn unix
workstations/servers domain members, you can choose from adkadmin
(http://www.css-security.com/cgi-bin/dnld_list.pl), ktpass.exe (from
W2K support tools, don't remember the exact name) or samba (>=3).
I made such setup with a 2003 AD around 2004 and it worked fine. I did
even got an apache server as domain "member", allowing GSSAPI and
single-sign-on.
> Or knows of a better password change hook in windows (and not too
> pricey).
On the non-open world you have vintela (never used and no idea about price)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
