interoperability Win2k/Linux

Paul B. Hill pbh at MIT.EDU
Mon Jun 10 17:45:47 EDT 2002

No, there was an incorrect statement.

If you want a Win2k Domain, you have to run a Win2k Active Directory server.
You do have to set passwords on each of the user accounts in the AD server.
However, you don't have to syncronize the passwords between a Kerberos realm
and the AD server to get most functionality.

At MIT we have set all of the user passwords to be a random 128 characters
for each AD account. There is an account mapping from the UNIX realm to the
AD accounts. Initial authentication is done against the UNIX realm.

This works well except in the case of Exchange. Exchange doesn't support
Kerberos, it is always using NTLM. If the users don't know their native
Windows password they won't be able to use Exchange.

A similar problem exists for the Microsoft Macintosh File and Print


-----Original Message-----
From: kerberos-admin at MIT.EDU [mailto:kerberos-admin at MIT.EDU]On Behalf Of
Derek Yarnell
Sent: Monday, June 10, 2002 5:10 PM
To: kerberos at
Subject: Re: interoperability Win2k/Linux

> - The long and short of it, is that if you want to support W2k
> services, you HAVE to run a W2k Active Directory server. You don't
> have to keep user passwords in it, but you have to run it.

So wait you are saying there is a way to pass through the krb5 auth to
a MIT kdc? How can I do this, while running W2K Active Directory for
things like exchange... etc..

Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list