On Wed, 2013-08-28 at 18:50 -0700, Michael Butash wrote:
Greetings, I was curious if the RH or other contributors have investigated adding os-level machine auth support into NM, or proper dynamic dns client support to register with AD.
How does the "OS-level machine auth support" work?
Is this Kerberos + EAP?
If you have joined the domain you should have a Kerberos keytab for the
*machine* account. If that's what you need to authenticate, it shouldn't
be particularly hard to make it work.
As for dynamic DNS, I currently have a horrid dispatcher.d script which
does something like:
if [ "${1/intel.com//}" != "$1" ]; then
logger "Setting Intel reverse DNS for $HOST.$DOMAIN.corp.intel.com to $2"
# We have to do it in the background or NM-dispatcher will
# time us out and kill us.
( kinit -k $HOST$ && net -k ads dns register $HOST.$DOMAIN.corp.intel.com $2 | logger) &
Theoretically winbind can do this for itself but it's crap at it — when
we get on the VPN it actually tries to set the DNS to include every IP
address on the system *except* the one we really want¹ :)
I think SSSD might be a little better, but SSSD doesn't give my users
automatic NTLM authentication so I can't use that.
Another real annoyance I found was storing of my domain pass in the keyfiles for nm plain-text.
If it's the *user* password, you really shouldn't need it. For NTLM-based authentication, winbind will be able to proxy it for you. Or ideally you can use Kerberos. Although that's a little complex since the ccache is owned by the user, not root. If it really does have to have the *password*, then perhaps we should be looking at a PAM module to steal it (much like gnome-keyring does). -- David Woodhouse Open Source Technology Centre David Woodhouse intel com Intel Corporation ¹ https://bugzilla.samba.org/show_bug.cgi?id=7634
Attachment:
smime.p7s
Description: S/MIME cryptographic signature