client-side support for SASL/GSSAPI on windows?

[Jeffrey Altman]

denis.havlik at t-mobile.at wrote:
> Hi, folks
> 
> I've tested the openLDAP+MIT kerberos+SASL/GSSAPI on Linux (and I'm quite 
> happy with it), but I'll need the client-side support on the windows side 
> as well. Anyone knows of some good online docs that explain what has to be 
> done on the windows side?
> 
> For instance, there is apparently no stable SASL for windows 
> (http://asg.web.cmu.edu/cyrus/download/sasl/windows.html), so what's used 
> for SASL/GSSAPI? :-)

I am not aware of an alternative implementation of SASL for Windows.

The indication from this page is that the SASL-GSSAPI builds against
the CyberSafe sources.  You should be able to modify that to build 
against the MIT Kerberos for Windows 2.6.x SDK quite easily.

> Closely related: I want to set up windows AD controller in such a way that 
> the password for all users is checked against MIT kerberos KDC. 

Use cross-realm authentication and have your user authenticate using
the MIT KDC realm principal instead of the mapped Active Directory accounts.

> Now, windows machines have a built-in support for kerberos, and that's all 
> that's needed for login purpose. Do I still need to install 
> MIT kerberos 4 Windows on all the windows client machines, or not? 

Microsoft does not export a Kerberos programming API.  They only provide
the Kerberos SSP which has semantics similar to GSSAPI but with a 
different API and some wire compatibility issues depending on how it is
used.  If you wish to use the same sources for Kerberos 5 and GSSAPI on
Linux and Windows, then you should install the MIT KFW 2.6.x package on 
your clients and build your applications against that framework. 
Depending on your needs you can either import the Microsoft LSA 
credentials into a new MIT Kerberos credentials cache or access the
MS LSA credentials in read-only mode via the MIT krb5_ccache "MSLSA:"
ccache interface.

Jeffrey Altman