w2k client login to kerberos realm
nward at esphion.com
Mon Nov 11 16:49:15 EST 2002
Here is what I did with MIT Krb5 & Win2k.
- Setup my KDC with des-cbc-crc encryption.
- Used the ksetup.exe util as per the Microsoft Kerberos Interoperability Steps document (exact name may differ) to:
Set my kerberos realm
Set my kdc
Map all accounts (* & *@realm) to "Administrator"
- Got a tool called Wake, (http://www.rose-hulman.edu/TSC/software/wake/) which converts MSKRB5 tickets to MITKRB5 tickets (so I can use OpenAFS etc. an my windows workstations).
Why map all to administrator? There is little security implication here, as all users store there data on the AFS server and each user has thier own workstation.
If you must use AD, somewhere at padl.com there is a project in progress to make an OpenLDAP extension to talk as an ADC.
The Microsoft documents on UNIX interoperability are starting to get good as well, so instead of ignoring all MS links in your google searches, check them out. They are good.
On Mon, 11 Nov 2002 20:24:33 +0000
"Tony Hoyle" <tmh at nodomain.org> wrote:
> On Mon, 11 Nov 2002 11:45:26 +0000, Brian Thompson wrote:
> > According to Luke this is theoretically possible:
> > http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&frame=right&rnum=11&thl=1010052362,1009746294,1011410969,1011406245,1011372638,1011287500,1011279568,1011265813,1011263816,1011252848,1011250716,1011242826&seekm=anfmmn%243f3%241%40sisko.nodomain.org#link12
> I can't see how, based on the Microsoft documentation, although Luke knows
> more about what the protocol is capable of.
> In any case it would be the KDC that would have to pass the AD
> authentication information - maybe he was referring to the patched heimdal
> he did for samba?
> Kerberos mailing list Kerberos at mit.edu
PH: +64 9 4142060
MOB: +64 9 21 431675
EMail: nward at esphion.com
More information about the Kerberos