On Sat, 2 Aug 2003, Buchan Milne wrote: > If it were possible to split out the basics > of the GUIs from drakX into a standalone, I can take a look at getting > chkauth (lacking a better method for now) to work with user-modified > configs.
That will teach me to read cooker before changelog ;-). Thanks for splitting out drakauth, I will try and get you some patches next week ... > > How would you prefer to have the auth tools improved? > > It would be cool to have Active Directory authentication available > (kerberos/winbind3), but maybe that is something for after 9.2, so I can > test it in production first ... BTW, one of the things I found relating to this is that win2k/win2k3 register Kerberos-style SRV records for the kpasswd,keberos and ldap services. Kerberos has support for reading the kdc and admin server from DNS like this, so if a query for _kerberos._tcp.$DOMAIN succeeds, I think dns_lookup_kdc can be set to true and kdc in the realm definition need not be specified, and if a query for _kpasswd._tcp.$DOMAIN succeeds, dns_lookup_realm can be set to true and admin_server in the realm definition need not be specified. For instance, the queries that should be run to test for this would look like this: $ dig +short @<dns server> _kerberos._tcp.<domain> SRV Which should return something like this: 0 100 88 bgmilne-win2kas.winbind-test.local. Similarly, AFAIK both nss_ldap and pam_ldap support ldap server location via DNS via the _ldap._tcp SRV record, so if a query for _ldap._tcp works, it may be best not to set the host option in /etc/ldap.conf. I will try and do some tests with this also ... I have put an example krb5.conf I used with a win2k/win2k3 box here: http://ranger.dnsalias.com/mandrake/cooker/krb5.conf Most of the file was left as the default /etc/krb5.conf, only the winbind-test.local entries were modified, the kdc and admin_server entries removed from the realm definition, and the dns_lookup_* entries set to true. Regards, Buchan -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 ****************************************************************** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. ******************************************************************
