w2k client login to kerberos realm

Sam Hartman hartmans at MIT.EDU
Mon Nov 11 15:45:18 EST 2002


>>>>> "Tony" == Tony Hoyle <tmh at nodomain.org> writes:

    Tony> On Sun, 10 Nov 2002 13:36:39 +0000, Brian Thompson wrote:
    >> username. If I delete the local account it doesn't work. There
    >> is an account in the AD server with the same username which is
    >> the proxy account that I really want to use.
    >> 
    Tony> If you're logging into a non-Windows kerberos account there
    Tony> *must* be a local account mapped so that Windows can
    Tony> retrieve a valid SID for the user.  When you log into Active
    Tony> Directory this is done automatically (via some extra data
    Tony> sent from the server).  Logging into an MIT domain is the
    Tony> same as logging in locally except the password
    Tony> authentication is done via kerberos (all other
    Tony> authentication eg. network shares is done as if you had
    Tony> logged in locally).

Impirical evidence suggests you're giving an incomplete answer here.
I have a W2K box on my desk for which I log into an MIT account which
is mapped by the domain to a domain account.  No local account exists.



More information about the Kerberos mailing list