w2k client login to kerberos realm

Nathan Ward nward at esphion.com
Mon Nov 11 16:49:15 EST 2002


Here is what I did with MIT Krb5 & Win2k.

 - Setup my KDC with des-cbc-crc encryption.
 - Used the ksetup.exe util as per the Microsoft Kerberos Interoperability Steps document (exact name may differ) to:
	Set my kerberos realm
	Set my kdc
	Map all accounts (* & *@realm) to "Administrator"
- Got a tool called Wake, (http://www.rose-hulman.edu/TSC/software/wake/) which converts MSKRB5 tickets to MITKRB5 tickets (so I can use OpenAFS etc. an my windows workstations).

Why map all to administrator? There is little security implication here, as all users store there data on the AFS server and each user has thier own workstation.

If you must use AD, somewhere at padl.com there is a project in progress to make an OpenLDAP extension to talk as an ADC.

The Microsoft documents on UNIX interoperability are starting to get good as well, so instead of ignoring all MS links in your google searches, check them out. They are good.

Nathan


On Mon, 11 Nov 2002 20:24:33 +0000
"Tony Hoyle" <tmh at nodomain.org> wrote:

> On Mon, 11 Nov 2002 11:45:26 +0000, Brian Thompson wrote:
> 
> 
> > According to Luke this is theoretically possible:
> > 
> > http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&frame=right&rnum=11&thl=1010052362,1009746294,1011410969,1011406245,1011372638,1011287500,1011279568,1011265813,1011263816,1011252848,1011250716,1011242826&seekm=anfmmn%243f3%241%40sisko.nodomain.org#link12
> > 
> I can't see how, based on the Microsoft documentation, although Luke knows
> more about what the protocol is capable of.
> 
> In any case it would be the KDC that would have to pass the AD
> authentication information - maybe he was referring to the patched heimdal
> he did for samba?
> 
> Tony
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
> 


-- 

Nathan Ward
System Administrator
Esphion Ltd.

PH:    +64 9 4142060
MOB:   +64 9 21 431675
EMail: nward at esphion.com
Web:   www.esphion.com



More information about the Kerberos mailing list