w2k client login to kerberos realm

Brian Thompson brianpm at ghidra.eng.wayne.edu
Mon Nov 11 14:45:26 EST 2002

"Tony Hoyle" <tmh at nodomain.org> wrote in message news:<pan.2002. at nodomain.org>...
> On Sun, 10 Nov 2002 13:36:39 +0000, Brian Thompson wrote:
> > username. If I delete the local account it 
> > doesn't work. There is an account in the AD 
> > server with the same username which is the 
> > proxy account that I really want to use.
> > 
> If you're logging into a non-Windows kerberos account there *must*
> be a local account mapped so that Windows can retrieve a valid SID
> for the user.  When you log into Active Directory this is done
> automatically (via some extra data sent from the server).  Logging
> into an MIT domain is the same as logging in locally except the password
> authentication is done via kerberos (all other authentication eg. network
> shares is done as if you had logged in locally).
> Tony

Thanks Tony but I'm wondering if and/or why at has to
be _local_. I'd really like the shadow SID account to be
an AD domain account, not local to the workstation.

According to Luke this is theoretically possible:


I'm using Heimdal as the KDC and the workstations
do belong to an AD domain.


More information about the Kerberos mailing list