Comments (7)
kenaaker
commented on August 31, 2024
Removing Kerberos would be counter productive, I suspect. I think that Active Directory is a Kerberos implementation, so if you remove "Kerberos" functionality, you might lose the ability to interact with Active Directory.
from yast-auth-server.
Firstyear
commented on August 31, 2024
No, there is specific functionality for AD with SSSD and winbind. This is for 389-ds to setup an internal krb server instead, whcih has been non-functional for a long time.
from yast-auth-server.
kenaaker
commented on August 31, 2024
And here I thought that Kerberos was just to deal with authentication, and LDAP was there to supply the other authorization data. With those assumptions, the documentation makes a bit of sense. Although I thought that SSSD had been discontinued in favor of distinct setups for the 389 directory server and Kerberos servers.
from yast-auth-server.
Firstyear
commented on August 31, 2024
Not quite @kenaaker - sssd is the client half of the equation that allows a workstation or server to communicate to kerberos/ldap for authentication and identity information.
Kerberos only provides authentication (verification of an identity) and only does so with a password. It was designed in a era pre-TLS so it assumes there is no safe network transport. It also enables credential caching via a ticket system, which then can be forwarded to other machines. This has caused some of the most damage to IT systems globally, especially through microsoft environments that use kerberos due to unconstrained lateral movement, making kerberos likely one of the most damaging technologies to ever exist.
LDAP provides authentication and identity info, as well as database replication. In this yast feature, it allows storing the kerberos database (normally only on a single machine as krb has no replication features), into ldap to "piggy back" off of ldaps ability to do replication.
However, it's been broken for literally years - attempting to setup and use this feature via this module would never result in a working configuration. Because of that, it failed the "scream" test, where no on complained about it. The first report of a problem, was via internal SUSE QA noticing it failing, which promtped the talk to remove it.
from yast-auth-server.
kenaaker
commented on August 31, 2024
And, here I am.... Trying to create a new authentication/authorization server after the hard drive that had the OS and all the previously existing configuration on it. (Unsuccessfully, I might add.) Everything was functioning before the hard drive crashed, but then "everything was a "forward" migration from OpenSuSE 9.x. Now, I've been trying to get a minimal setup figured out for the server. But, every time I try to set up the servers I get "no connection" between the 389 server and the Kerberos server?
Maybe nobody screamed because they were all "forward" migrated? I remember an OpenLDAP and an SSSD setup somewhere in the past...
from yast-auth-server.
Firstyear
commented on August 31, 2024
@kenaaker Do you mind emailing me directly about your auth server issues? I'd be happy to help out william.brown at suse.com :)
from yast-auth-server.
suntorytimed
commented on August 31, 2024
As this removal is now landing in 15 SP5 and we don't have a feature for it to document the change I have opened a Bugzilla documentation bug to make sure we have that in our Release Notes. https://bugzilla.suse.com/show_bug.cgi?id=1202257
from yast-auth-server.
Related Issues (11)
- Improve CA/TLS string names HOT 1
- UI is not clear about if ca/pkcs12 needed HOT 4
- Container DN potential for "double entry" on dir suffix HOT 3
- Missing PAckage during installation phase of Kerberos Instance HOT 2
- ldap.conf configuration and location for Kerberos Instance HOT 1
- krb5.conf must exit for Kerberos Instance installation to succeed HOT 2
- Password file for KDC not generated by YaST HOT 1
- yast2 ldap-server and yast2 user/group management HOT 1
- Incorrect path in message generated by yast2-auth-server package
- No output of error messages in the user interface HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yast-auth-server.