Kenneth, Most Kerberos servers are authentication-only servers: they do not store the additional attributes necessary to perform authorization under Unix, and even if they did, Unix systems generally don't pay attention to Kerberos authorization data, so they would need to expose this information by some other protocol. And even if the Unix system honoured numeric UIDs and GIDs in the authorization data, a directory of sorts is still needed post-logon in order to do name resolution, say, when you type "ls -al".
The DCE security registry supported Extended Registry Attributes (ERAs) which could be used for such information, and could be integrated with the local Unix nameservice -- indeed, Paul Henson's nss_dce was one of the first third-party nameservice switch modules. There is a moral equivalent, and that's using an integrated authentication and directory server: Active Directory is a good example, but one could just as easily use the LDAP backend to Heimdal we wrote some time back along with our nss_ldap module and pam_krb5. The backend and modules are all open source. It's important to understand that a user's numeric user and group IDs, along with their home directory, shell, etc, are all required at Unix logon time, and these have to come from somewhere. Without getting into a religious argument, storing this information along with a user's key in a single repository offers some administrative reward at the expense of increasing exposure should the directory be compromised. -- Luke >From: Kenneth Stephen <[EMAIL PROTECTED]> >Subject: Kerberos and integrated login >To: <[EMAIL PROTECTED]> >Date: Wed, 15 Jan 2003 22:01:01 -0600 (CST) > >Hi, > > DCE (atleast IBM DCE does) provides an integrated login daemon >which if running on a DCE client, allows a dce login to a DCE user even if >the user is not a local user. No more duplication of userid databases - >one just has to be defined as a user in the DCE registry. Is there an >equivalent for Kerberos? > >Thanks, >Kenneth > >________________________________________________ >Kerberos mailing list [EMAIL PROTECTED] >http://mailman.mit.edu/mailman/listinfo/kerberos -- Luke Howard | PADL Software Pty Ltd | www.padl.com ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
