Yesterdays +NUUG presentation about Kerberos was inspiring, and reminded me +about the need to start using Kerberos in Skolelinux. Setting up a +Kerberos server seem to be straight forward, and if we get this in +place a long time before the Squeeze version of Debian freezes, we +have a chance to migrate Skolelinux away from NFSv3 for the home +directories, and over to an architecture where the infrastructure do +not have to trust IP addresses and machines, and instead can trust +users and cryptographic keys instead.
+ +A challenge will be integration and administration. Is there a +Kerberos implementation for Debian where one can control the +administration access in Kerberos using LDAP groups? With it, the +school administration will have to maintain access control using flat +files on the main server, which give a huge potential for errors.
+ +A related question I would like to know is how well Kerberos and +pam-ccreds (offline password check) work together. Anyone know?
+ +Next step will be to use Kerberos for access control in Lwat and +Nagios. I have no idea how much work that will be to implement. We +would also need to document how to integrate with Windows AD, as such +shared network will require two Kerberos realms that need to cooperate +to work properly.
+ +I believe a good start would be to start using Kerberos on the +skolelinux.no machines, and this way get ourselves experience with +configuration and integration. A natural starting point would be +setting up ldap.skolelinux.no as the Kerberos server, and migrate the +rest of the machines from PAM via LDAP to PAM via Kerberos one at the +time.
+ +If you would like to contribute to get this working in Skolelinux, +I recommend you to see the video recording from yesterdays NUUG +presentation, and start using Kerberos at home. The video show show +up in a few days.
+