Architecture Question between Windows 2003 and Unix Mit KerberosServer

Douglas E. Engert deengert at anl.gov
Tue Jul 27 10:57:08 EDT 2004 


Michenaud Laurent wrote:

> Hi,
>
> We have a Windows 2003 Server with Active Directory.
> Windows 2003 Server has it own implementation of Kerberos V5 ( right ? ).
> Windows 2003 Server manages the accounts into Active Directory.
>
> We have a Linux MIT Kerberos Server.
> MIT Kerberos has a user account database ( user = principals ? ).

Yes to both.

>
>
> What we want :
> Authenticate against the MIT Kerberos Server using a Windows account.
>

I think I know what you mean.

You can have two realms. The Windows realm, and the MIT realm.
lets call them AD.ADEUZA.FR  (The name of the Windows domain in upper case)
and MIT.ADEUZA.FR You can then setup cross realm between them.

A user can then  authenticate to the AD.ADEUZA.FR realm,
and use this to get tickts for services in MIT.ADEUZA.FR

>
> I don't know how to do that.
>
> Should users in Windows 2003 be replicated in the MIT Kerberos Server ?

no.

>
> Should Mit Kerberos be able to ask the Windows 2003 Server for
> authentification
> if the user doesnot exist in the database ?

It does not work that way. The user first gets a TGT from his own realm, then
if the service is in the other realm, the user's library will get a cross realm TGT
to the other realm, then it will get the service ticket.

So you as user lmchenaud at AD.ADEUZA.FR would get:
   krbtgt/AD.ADEUZA.FR at AD.ADEUZA.FR

Then if you tried to use the server myworkstation.adeuza.fr in realm MIT.ADEUZA.FR
the library would get a ticket using cross realm for:
   krbtgt/MIT.ADEUZA.FR at AD.ADEUZA.FR

This would then be use to get the service ticket for:
   host/myworkstation.adeuza.fr at MIT.ADEUZA.FR

On the unix host the the ~/.k5login would need an entry for
lmchenaud at AD.ADEUZA.FR
to allow this foreign user access to the local account.

>
> Is the Mit Kerberos server a slave and Windows 2003 the master ?

No, unless you are trying to use the same realm name for both. But Windows and
MIT KDCs can't work together in the same realm.

Also see:
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

>
>
> Thanks to help me
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

--

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

More information about the Kerberos mailing list