Paul B. Hill
pbh at MIT.EDU
Mon Jun 10 17:45:47 EDT 2002
No, there was an incorrect statement.
If you want a Win2k Domain, you have to run a Win2k Active Directory server.
You do have to set passwords on each of the user accounts in the AD server.
However, you don't have to syncronize the passwords between a Kerberos realm
and the AD server to get most functionality.
At MIT we have set all of the user passwords to be a random 128 characters
for each AD account. There is an account mapping from the UNIX realm to the
AD accounts. Initial authentication is done against the UNIX realm.
This works well except in the case of Exchange. Exchange doesn't support
Kerberos, it is always using NTLM. If the users don't know their native
Windows password they won't be able to use Exchange.
A similar problem exists for the Microsoft Macintosh File and Print
From: kerberos-admin at MIT.EDU [mailto:kerberos-admin at MIT.EDU]On Behalf Of
Sent: Monday, June 10, 2002 5:10 PM
To: kerberos at mit.edu
Subject: Re: interoperability Win2k/Linux
> - The long and short of it, is that if you want to support W2k
> services, you HAVE to run a W2k Active Directory server. You don't
> have to keep user passwords in it, but you have to run it.
So wait you are saying there is a way to pass through the krb5 auth to
a MIT kdc? How can I do this, while running W2K Active Directory for
things like exchange... etc..
Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos