Kerberos, ADS and NFSv4

[Edward Murrell]

George Farris wrote:
> On Tue, 2006-15-08 at 13:39 -0500, Jerry Haltom wrote:
>   
>> I've written down a braindump of some of my thoughts on this subject
>> (over a year ago) at wiki.ubuntu.com/domainauthenticationutility.
>> You're welcome to write down more, or assist.
>>
>> I don't believe there is a Canonical push in this area yet. I think
>> though that if there was some community activity, it wouldn't be hard to
>> get official support + assistance for it.
>>
>>     
>
> Does anyone actually have working configurations of NFSv4 and Kerberos,
> Samba, LDAP and AD?
>
> I would like to see this so I can add additional input and do some work
> on this.  I've never dealt with Kerberos before or AD so having someone
> who is running this available to ask questions of would be great.
>
> Thanks
>
>   
I have most of the above working, except for NFSv4. It's installed, and
it transfers files, but the group permissions are just plain broken.

I've been running LDAP since I took over the network admin a couple
of years ago, and I added Kerberos (MIT version) to the mix mid 2005.

So far, I have been unable to get Samba to use Kerberos. My
understanding is that Microsoft has essentially stuffed LDAP information
 inside their Kerberos implementation in an undocumented way. This means
that Linux can use MS Kerberos, by ignoring the bits it doesn't
understand, but the reverse is not always true. However, I think
(untested) an AD server can 'translate' an MIT Kerberos server for it's
Windows clients.

Samba can use Kerberos if it has a real MS AD server though.

The result is that here, users have their Windows password (stored in
LDAP) for logging in to XP/TS, and a Kerberos password (for Linux
workstations, and everything else like mail).

However, this is in a technical orientated company where most people use
Linux or Mac, and probably isn't suitable for a large company with a
large number of non-technical users.

Also, I am led to believe (don't have the link sorry) that MS refuses to
offer support on anything but the stock install. So, anything that
modifies the database schema of their LDAP servers is out of the question.

Currently, to have completely transperant operation If you wanted to
have transparent LDAP and Kerberos usage across Windows and *nix, the
best solution is to set MS or *nix as your primary Directory servers,
and set the secondary to automatically pull down the configuration from
the primaries, and generate the missing LDAP information it needs,
also setting the secondaries to use the primaries Kerberos servers.

I highly recommend O'Reilly's Kerberos book if you want to explore this
further.

If you have any other questions, drop them here. I'm very keen to see
this area developed properly. Maybe then I get rid of NFSv3!

-

While I think of it, the current dapper install will add 127.0.1.1 as
the address for the host name of the local machine. This breaks Kerberos
if you use the single host name as the reverse DNS where the computer
needs to talk to itself. The counter-argument is that reverse DNS should
return the whole FQDN, not just the hostname.

Regards
Edward Murrell
edward at dlconsulting.co.nz