I created a kerberos wiki page  with design of integration into our current
authentication scheme (thanks Dominic for early discussions). Especially
Martin and Tomáš should be interested because it's related to CLI. Please take
a look and reply with questions/comments or ping me via IRC.
thank you for questions and other comments you sent in separate emails.
Answers are below in text
> >  https://fedorahosted.org/katello/wiki/KerberosIntegration
> A couple of questions / points:
> 1) Is it going to be GSSAPI all the way or some direct Kerberos?
GSSAPI is used only on client side. The Signo side uses rkerberos which uses
> 2) What does rack-auth-krb have that mod_auth_kerb does not?
It's web server agnostic. Although we use Apache atm, we can switch to nginx
when we migrate to mod_passenger. Also it's written in ruby which our team
> 3) The gssapi is now packaged:
> I'll now work to get them to composes.
> 4) It would be good if Bryan or perhaps someone from the Katello team
> 5) For the "Creating principal will be out of a scope of katello" –
> this can be scripted with the IPA commands – namely ipa
> 6) For the "This file must exist before Signo is started" – again,
> use IPA command – ipa-getkeytab.
Does this mean we'd depend on FreeIPA? Or do these commands work with other
kerberos systems as well? Is it sufficient to install freeipa-admintools to use
it (or other package)?
> 7) For the "Fallback to other backends - how we'll decide which one to
> use" – this is obviously on admin to decide and configure, with
> Katello providing sensible default. If you go with Kerberos but you
> will probably need to at least support the password change. Of
> course, you can just redirect to the IPA server to do that.
> 8) For the "Do we want to ensure clocks are synced" – do you plan
> for the systems to be enrolled as IPA clients? If yes, the setup of
> IPA client side will take care of this.
I don't think so.
On Monday 24 of June 2013 11:18:50 you wrote: