[29026] in Kerberos
Re: Heimdal KDC, Windows XP and local users
daemon@ATHENA.MIT.EDU (Volkmar Glauche)
Mon Jan 14 07:09:37 2008
From: Volkmar Glauche <volkmar.glauche@uniklinik-freiburg.de>
To: kerberos <kerberos@mit.edu>
In-Reply-To: <a64bf030801140327ub0f309fo3a55c8ca24c7689f@mail.gmail.com>
Date: Mon, 14 Jan 2008 13:08:40 +0100
Message-Id: <1200312520.5134.30.camel@nz23161.ukl.uni-freiburg.de>
Mime-Version: 1.0
Reply-To: volkmar.glauche@uniklinik-freiburg.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Am Montag, den 14.01.2008, 12:27 +0100 schrieb Javier Palacios:
> On Jan 14, 2008 12:06 PM, Volkmar Glauche
> <volkmar.glauche@uniklinik-freiburg.de> wrote:
> > > Sure. But this again means the toil of maintaining two databases: the
> > > NIS map and the KDC database.
> >
> > I think you will need two databases: one for kerberos credentials and
> > another one for account information. Kerberos does not tell you about a
> > user's home directory or shell...
>
> You don't need two databases. Both heimdal and MIT current versions
> allow LDAP as "database" for credentials so you have a single
> database. I've not used MIT, but I've been using heimdal-ldap for a
> long time without problems.
This is true. I'm doing the same with heimdal as you. But if there are
security concerns about storing kerberos credentials in LDAP, then you
need 2 databases. A KDC doesn't store other things than credentials in
its native database.
> Maybe you need two interfaces, but just because you cannot set the
> password using only LDAP tools (unless you know the internals of the
> way passwords are encoded into the kerberos repository).
>
> Javier Palacios
--
Volkmar Glauche
Freiburg Brain Imaging
http://fbi.uniklinik-freiburg.de/
Phone +49(0)761 270-5331
Fax +49(0)761 270-5416
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
