← Back to team overview

enterprise-ubuntu team mailing list archive

  1. enterprise-ubuntu team
  2. Mailing list archive
  3. Message #00133

Kerberos implementation

  Thread PreviousDate PreviousThread Next 
Hello,
Sorry if this is out-of-topic, but I wanted to share the technical stuff with you.
I am currently working on Kerberos-based authentication and here is what I got.
I have an Apache server that is using a machine name (machine1.example.com) but also serves through a DNS CNAME record (webportal.example.com). The apache server has a msktutil-issued ticket for HTTP/machine1.example.com.
1. I managed to get mod_apache_krb5 to verify users with kerberos (without providing a password) thanks to the ticket issued by msktutil. 2. I managed to get Firefox to work with the machine name machine1.example.com. 
3. I found that webportal.example.com does not work with single-sign-on.
An interesting glitch in this scenario is that each Kerberos authentication attempt causes Firefox to freeze for ~5s.
I am using the MIT Kerberos, which seems to be the default for both RedHats and Ubuntus... at least MIT is in main, Heimdal is in Universe.
Now, I have tried changing to Heimdal's Kerberos and I was positively surprised. Authentication does not cause Firefox to freeze and the CNAME-based webportal.example.com site works with single-sign-on as well.
I have also found that there is an NTLM provider that is supposed to extend the Negotiate protocol with NTLM (both v1 and v2), so SSO to non-Kerberos IIS pages should work. I am trying to make it work at this point.
It seems the Samba project is using Heimdal instead of MIT Kerberos. Perhaps it's more Microsoft-compatible? On the other hand, SSSD is not intending to support it: 
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/966146

Is somebody using Heimdal Kerberos instead of the default MIT?

Cheers,
Ballock
  Thread PreviousDate PreviousThread Next