Hi all, A while ago, I figured out how to set up Debian lenny as a Kerberos and LDAP client for user authentication and authorization. K5start is important for this, because if the workstation cannot automatically obtain a Kerberos ticket for itself as it boots up, it has no way to authenticate to the LDAP server and then check if the user also has a necessary LDAP account.
However, a lot of this depends on how init behaves: if it runs k5start before the network comes up, the process will fail and the user will not be able to log in. I had this experience recently with Ubuntu 10, which uses a replacement init, called upstart. Once I had managed to write a reasonable /etc/init/k5start.conf, it only seemed to work some of the time. Other times I would have to switch to a console screen and run "initctl start k5start" manually before I could log in. Even worse, sometimes upstart even failed to start up the getty processes for the consoles, forcing me to first use another machine to ssh to the workstation to start up kstart (and maybe a getty). Has anyone managed to configure k5start to work on Ubuntu 10 (lucid) with upstart? And if that's not bad enough, what can be done for all those laptop users out there who are used to managing their network connections from their desktops? In such cases, there may not be a network connection until after they log in. Personally, I'd first login as root, establish the appropriate network connection from the command line and then run k5start before switching back to xdm, gmd, or kdm, but that's not something we can expect normal users to feel comfortable with. All I can think of is that something be built into xdm, gdm and kdm to allow the network connections (including wireless) to be managed before users log in. Cheers, Jaap ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
