Re: Machine authentication and dynamic dns for AD

On Wed, 2013-08-28 at 18:50 -0700, Michael Butash wrote:

I was curious if the RH or other contributors have investigated adding 
os-level machine auth support into NM, or proper dynamic dns client 
support to register with AD. 

How does the "OS-level machine auth support" work?
Is this Kerberos + EAP?

If you have joined the domain you should have a Kerberos keytab for the
*machine* account. If that's what you need to authenticate, it shouldn't
be particularly hard to make it work.

As for dynamic DNS, I currently have a horrid dispatcher.d script which
does something like:

        if [ "${1/}" != "$1" ]; then
                logger "Setting Intel reverse DNS for $HOST.$ to $2"
                # We have to do it in the background or NM-dispatcher will
                # time us out and kill us.
                ( kinit -k $HOST$ && net -k ads dns register $HOST.$ $2 | logger) &

Theoretically winbind can do this for itself but it's crap at it — when
we get on the VPN it actually tries to set the DNS to include every IP
address on the system *except* the one we really want¹ :) 

I think SSSD might be a little better, but SSSD doesn't give my users
automatic NTLM authentication so I can't use that.

Another real annoyance I found was storing of my domain pass in the 
keyfiles for nm plain-text. 

If it's the *user* password, you really shouldn't need it. For
NTLM-based authentication, winbind will be able to proxy it for you. Or
ideally you can use Kerberos. Although that's a little complex since the
ccache is owned by the user, not root.

If it really does have to have the *password*, then perhaps we should be
looking at a PAM module to steal it (much like gnome-keyring does).

David Woodhouse                            Open Source Technology Centre
David Woodhouse intel com                              Intel Corporation


Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]