w2k client login to kerberos realm
Brian Thompson
brianpm at ghidra.eng.wayne.edu
Mon Nov 11 14:45:26 EST 2002
"Tony Hoyle" <tmh at nodomain.org> wrote in message news:<pan.2002.11.11.11.48.33.282367 at nodomain.org>...
> On Sun, 10 Nov 2002 13:36:39 +0000, Brian Thompson wrote:
>
> > username. If I delete the local account it
> > doesn't work. There is an account in the AD
> > server with the same username which is the
> > proxy account that I really want to use.
> >
> If you're logging into a non-Windows kerberos account there *must*
> be a local account mapped so that Windows can retrieve a valid SID
> for the user. When you log into Active Directory this is done
> automatically (via some extra data sent from the server). Logging
> into an MIT domain is the same as logging in locally except the password
> authentication is done via kerberos (all other authentication eg. network
> shares is done as if you had logged in locally).
>
> Tony
Thanks Tony but I'm wondering if and/or why at has to
be _local_. I'd really like the shadow SID account to be
an AD domain account, not local to the workstation.
According to Luke this is theoretically possible:
http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&frame=right&rnum=11&thl=1010052362,1009746294,1011410969,1011406245,1011372638,1011287500,1011279568,1011265813,1011263816,1011252848,1011250716,1011242826&seekm=anfmmn%243f3%241%40sisko.nodomain.org#link12
I'm using Heimdal as the KDC and the workstations
do belong to an AD domain.
-Brian
More information about the Kerberos
mailing list