[Klug-general] Kerberos
Peter Childs
pchilds at bcs.org
Thu Apr 28 18:20:10 UTC 2011
Let me get this right.
Kerberos is a protocol for transferring security details a bit like
ssh private/public keys.
Kerberos has its own password file to store its passwords in. You can
store them else where but this is not normal.
LDAP is often used to store the rest of the account details in such as
default shells, home directories etc etc. LDAP can use Kerberos to
store its security data.
In effect Kerberos is a network replace for the /etc/shadow file and
is attached to pam
LDAP is a replacement for the nsswitch and is used to replace the
/etc/passwd file which does not store passwords anymore anyway.
Hence you actually end up with two user databases, one in Kerberos and
one in LDAP which means some database duplication and need to keep
both user lists in sync....
There is also no reason to need to use LDAP with Kerberos you could
use Kerberos with PostgreSQL if you like.
You can also tell Kerberos to store its passwords in LDAP but that
means LDAP can't use Kerberos to do its security because you would
then have a circular dependency.
Kerberos and LDAP are used by SAMBA and need to be set up correctly if
you want to run a PDC with anything less than the simplest of settings
or want Samba to look like an Active Directory.
Or am I completely up a tree and confused...
Peter.
More information about the Kent
mailing list