w2k client login to kerberos realm
Sam Hartman
hartmans at MIT.EDU
Mon Nov 11 15:45:18 EST 2002
>>>>> "Tony" == Tony Hoyle <tmh at nodomain.org> writes:
Tony> On Sun, 10 Nov 2002 13:36:39 +0000, Brian Thompson wrote:
>> username. If I delete the local account it doesn't work. There
>> is an account in the AD server with the same username which is
>> the proxy account that I really want to use.
>>
Tony> If you're logging into a non-Windows kerberos account there
Tony> *must* be a local account mapped so that Windows can
Tony> retrieve a valid SID for the user. When you log into Active
Tony> Directory this is done automatically (via some extra data
Tony> sent from the server). Logging into an MIT domain is the
Tony> same as logging in locally except the password
Tony> authentication is done via kerberos (all other
Tony> authentication eg. network shares is done as if you had
Tony> logged in locally).
Impirical evidence suggests you're giving an incomplete answer here.
I have a W2K box on my desk for which I log into an MIT account which
is mapped by the domain to a domain account. No local account exists.
More information about the Kerberos
mailing list