enterprise-ubuntu team mailing list archive
-
enterprise-ubuntu team
-
Mailing list archive
-
Message #00133
Kerberos implementation
Hello,
Sorry if this is out-of-topic, but I wanted to share the technical stuff
with you.
I am currently working on Kerberos-based authentication and here is what
I got.
I have an Apache server that is using a machine name
(machine1.example.com) but also serves through a DNS CNAME record
(webportal.example.com). The apache server has a msktutil-issued ticket
for HTTP/machine1.example.com.
1. I managed to get mod_apache_krb5 to verify users with kerberos
(without providing a password) thanks to the ticket issued by msktutil.
2. I managed to get Firefox to work with the machine name
machine1.example.com.
3. I found that webportal.example.com does not work with single-sign-on.
An interesting glitch in this scenario is that each Kerberos
authentication attempt causes Firefox to freeze for ~5s.
I am using the MIT Kerberos, which seems to be the default for both
RedHats and Ubuntus... at least MIT is in main, Heimdal is in Universe.
Now, I have tried changing to Heimdal's Kerberos and I was positively
surprised. Authentication does not cause Firefox to freeze and the
CNAME-based webportal.example.com site works with single-sign-on as well.
I have also found that there is an NTLM provider that is supposed to
extend the Negotiate protocol with NTLM (both v1 and v2), so SSO to
non-Kerberos IIS pages should work. I am trying to make it work at this
point.
It seems the Samba project is using Heimdal instead of MIT Kerberos.
Perhaps it's more Microsoft-compatible? On the other hand, SSSD is not
intending to support it:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/966146
Is somebody using Heimdal Kerberos instead of the default MIT?
Cheers,
Ballock