mån 2013-02-11 klockan 09:52 +0000 skrev David Woodhouse: > On Mon, 2013-02-11 at 08:29 +0100, Stef Walter wrote: > > > In GNOME 3.6 Enterprise logins was introduced. This feature is very > > > attractive for enterprise deployments because it makes possible to > > > add GNOME workstations into Windows networks with Active Directory. > > > My understanding of this feature is that it only enables users to > > log > > > on their GNOME workstations, so it doesn't enable them to use the > > > shared folders or network printers of their domains without login > > > again for every shared resource. > > > > Well it should do those things. I know that the shared folders does > > work. For example, we tested it in Fedora: > > And automatic login with NTLM, and keeping a Kerberos TGT valid, are > both mostly solved problems too. Although we do need to dust that work > off and merge it. >
With MIT Kerberos it is possible in /etc/krb5.conf to force checking of the KDC but normally it means that the client process needs read access to /etc/krb5.keytab which is only readable by root. Which means that gnome-shell/gnome-screensaver can't check the responding KDC when unlocking the session = a possibility of KDC-spoofing. Any designs for this problem which doesn't requires 'sssd' ? One possibility is to install in a world-readable some other ticket with only usage to permit screensaver to check KDC validity. pam_krb5 at login time uses (i think) the host/'fqdn of client` ticket to check KDC identify. _______________________________________________ desktop-devel-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/desktop-devel-list
