Quote:
|
sorry Niki, but I think Didier is right: what is the purpose of reviving this thread, just for quotin a three months' old statement?
maybe the discussion should be carried on in one place only. |
The other thread is "Solved" and it is going off-topic.
Also, 3 months is not that long. :) If it is, kindly ask a moderator to move my post to the more recent thread. |
Quote:
|
Quote:
Could this post could be moved in its own thread? ("PAM only, no kerberos") - maybe the simplest would be for Slax-Dude to re-post in a new thread? |
Quote:
|
Quote:
Regarding "we will likely never do "PAM only, no Kerberos"", I am curious about your rationale. Anyway, this is an interesting clarification about what to expect. Thanks. |
Quote:
|
Quote:
I completely sympathize with the wariness over krb5's invasiveness, though. Perhaps there's an alternative, or a way to make krb5 better-encapsulated. Will ponder. |
You need kerberosv5 for handshake authentication between server and client especially samba. Unless you want a halfassed server...
|
Quote:
Let's say Bob is a sysadmin and has to access hundreds of Unix servers via SSH. A good practice is obviously to request that Bob logs into servers as Bob (then su / sudo) for traceability. Bob is logged on his Windows PC on the AD domain. Bob fires putty and goes to some server. At the login prompt, he enters his name and password (his password in the AD domain - same as the Windows password). On the server, Bob is authenticated by AD, and enters a server session under his identity. No Kerberos is required for this scenario on the server. PAM (with the standard LDAP auth module) is enough. Now maybe what we would like to achieve is single sign-on login (SSO): Bob fires putty, goes to the server and is automatically authenticated by AD (no need to enter his password again, his Windows authentication is transparently reused for servers where he is authorized). In that SSO scenario, Kerberos is used in the background (IIRC, putty supports GSSAPI/Kerberos with SSH2) I believe that the first scenario (LDAP authentication) is quite common and much simpler to implement. That said, I perfectly understand that - supporting this sort of environment is not a priority for the Slackware team, - it may be better for Slackware to either implement all the kit (PAM + Kerberos + deps + pamified/kerberized apps) like all major distros, or else implement nothing, rather than a partial solution. |
Quote:
A Directory consists of: - LDAP database that replaces /etc/passwd and /etc/group and optionally other flat files. - Kerberos database and KDC that replace /etc/shadow. Passwords are managed by Kerberos. On the server you need something like this: /etc/pam.d/system-auth Code:
auth sufficient pam_winbind.so Quote:
Quote:
Cheers |
Quote:
- kerberos (the most well known these days) - NTLMv2 - other methods (including the less secure NTLM, digest, down to plain text password) NTLMv2 over ldaps is a perfectly valid and secure method involving no Kerberos ticket at all (--just a salted and hashed password). It is simple, works with the Windows password for Windows clients, and requires very few components on the target server. On the other hand, Kerberos is the preferred solution for several reasons: Technically, it is a solid, secure, proven solution. It provides a good single sign-on solution for users -- once I am logged into my PC, I can access other servers and I am transparently authenticated (no password entry required). More importantly, it is the de facto standard in corporate environments, because of Microsoft prevalence, but also because it has been adopted and is supported by the majors Linux distros (redhat, suse, debian, ubuntu) in corporate IT. It means that when you google for "Linux AD authentication", most of what you get is Kerberos-based auth. For this non-technical reason only, I think that the Slackware team "PAM+Kerberos or nothing" approach is the wise one. HTH Phil |
While it indeed is doubtful reviving this thread will be decisive in any way I notice post #299 was marked 5 times while post #300 was marked "helpful" 1 time. So apparently this thread still serves some purpose. I do caution the next posters to first read and understand the whole thread before contributing though: rehashing serves no purpose at all.
|
What is the Current State of PAM and Slackware (Current)?
Looking for current guidance on the topic of PAM and Slackware, this thread surfaced.
Found the answer in the Changelog for Slackware64-Current. ref: ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt "Fri May 15 07:28:15 UTC 2020 Hey folks, just a heads-up that PAM is about to be merged into the main tree. We can't have it blocking other upgrades any longer. The config files could be improved (adding support for pam_krb5 and pam_ldap, for example), but they'll do for now. Have a good weekend, and enjoy these updates! :-)" |
What is the Current State of PAM and Slackware 15 to (Current)
Still interested since 15.0 was released last year and 15.1 is coming along .
What are best practices for configuration ... particularly with samba ad-dc ... |
Quote:
Some people who posted here aren't using Slackware anymore - like is kikinovak and ivandi. |
Slackware This Forum is for the discussion of Slackware Linux.
What? this is in the slackware forum ..
LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware > slackware 15 and pam Slackware This Forum is for the discussion of Slackware Linux. Maybe you are lost ... "Some people who posted here aren't using Slackware anymore" |
Quote:
Quote:
In fact, nobody told you otherwise... All that was pointed out to you is that you are asking a samba configuration question in a 7 year old thread dedicated to implementing PAM in slackware15... As LuckyCyborg pointed out: please create a new thread and post your question "In the Slackware Forum"... not in an unrelated thread created by someone else 7 years ago... Is that clearer for you? |
Quote:
From my part, feel free to wait for kikinovak and ivandi to share with you their experience on LinuxPAM. :hattip: |
All times are GMT -5. The time now is 01:08 PM. |