Kerberos support design


I created a kerberos wiki page [1] with design of integration into our current
authentication scheme (thanks Dominic for early discussions). Especially
Martin and Tomáš should be interested because it's related to CLI. Please take
a look and reply with questions/comments or ping me via IRC.


··· -- Marek


thank you for questions and other comments you sent in separate emails.
Answers are below in text

> > [1]
> A couple of questions / points:
> 1) Is it going to be GSSAPI all the way or some direct Kerberos?
GSSAPI is used only on client side. The Signo side uses rkerberos which uses
kerberos directly.

> 2) What does rack-auth-krb have that mod_auth_kerb does not?
It's web server agnostic. Although we use Apache atm, we can switch to nginx
when we migrate to mod_passenger. Also it's written in ruby which our team

> 3) The gssapi is now packaged:
> I'll now work to get them to composes.

> 4) It would be good if Bryan or perhaps someone from the Katello team
> fixed
> 5) For the "Creating principal will be out of a scope of katello" –
> this can be scripted with the IPA commands – namely ipa
> service-add.
> 6) For the "This file must exist before Signo is started" – again,
> use IPA command – ipa-getkeytab.
Does this mean we'd depend on FreeIPA? Or do these commands work with other
kerberos systems as well? Is it sufficient to install freeipa-admintools to use
it (or other package)?

> 7) For the "Fallback to other backends - how we'll decide which one to
> use" – this is obviously on admin to decide and configure, with
> Katello providing sensible default. If you go with Kerberos but you
> will probably need to at least support the password change. Of
> course, you can just redirect to the IPA server to do that.
> 8) For the "Do we want to ensure clocks are synced" – do you plan
> for the systems to be enrolled as IPA clients? If yes, the setup of
> IPA client side will take care of this.
I don't think so.


··· On Monday 24 of June 2013 11:18:50 you wrote: