Basic kerberos integration pointers?

Jason Tibbitts tibbs at math.uh.edu
Thu Aug 4 13:45:41 UTC 2016 

So I've been running KDE on my department's desktop for many, many
years.  Probably even before KDE2, though I can't really remember back
that far.  We've also been running a kerberos infrastructure for a very long time,
but because we haven't really used it for much.  It hasn't really been a
big deal when tickets expire and users generally didn't need to care.

However, I've moved wholesale to kerberized NFS and this instantly made
kerberos tickets rather more important.  I've turned on automatic
password expiration which adds its own fun, and I'd like to move to two
factor auth.

So I'm looking for tips on the following:

1) A display manager that handles pam prompts (for 2FA) and password
   expiration.

KDM does the some of that, sort of.  But it hangs 40 seconds after
prompting for a password change, and isn't being developed so I doubt
there's much chance of getting this fixed.

SDDM doesn't do it at all, and seems to be very unsuited to enterprise
usage in general.  (User desktop choice is stored in /var and not in the
user home dir, for example.)

I guess GDM is the only other option, which I'd like to avoid if
possible.

2) Some useful kerberos ticket GUI/applet for users.

I really just need something that usefully warns the user when their
creds are expiring.  SSSD will auto-renew credentials obtained through
it and hopefully at some point will auto-renew any renewable ticket, but
once a ticket passes its renewable time, at best the user loses access
to all of their files until they get a fresh ticket.  (At worst, bugs in
NFS screw the system and it has to be rebooted.)

Kredentials exists but is very old (KDE3?) and doesn't work particularly
well.  (No useful tooltips, no left click action, doesn't handle
multiple TGTs well, etc.)

I was running krb5-auth-dialog (a gnome thing), but at some point
recently it stopped working completely.  I don't know why.

Gnome-online-accounts is what Gnome uses now, but I can't even figure
out how to run it.


So if anyone else runs KDE in a heavily kerberized environment, I'd love
to know if you get around these issues, and how.

Thanks!
--
 Jason L Tibbitts III - tibbs at math.uh.edu - 713/743-3486 - 660PGH
 System Manager:  University of Houston Department of Mathematics

More information about the Enterprise mailing list