microsoft xp gssapi client talking to solaris8 gssapi server
Tony Hoyle
tmh at nodomain.org
Sun Oct 6 05:58:42 EDT 2002
On Sat, 05 Oct 2002 18:26:08 +0000, Sam Hartman wrote:
> I am fairly sure you're misusing the term active directory here. It's
> certainly true that you're using an extra DLL or two, and you need to
> have a krb5.ini, but you can use your Windows credentials and Windows KDCs.
I've had an implementation that did this for some time... nobody uses it,
bbasically because nobody knows how to setup the krb5.ini and the whole
ktpass/export key thing is a pain. With a pure SSPI implementation it
all 'just works' provided you're connecting to the local domain (The MS
Kerberos implementation has no equivalent of 'kinit' so you'd have to use
MIT for remote connections anyway).
> Any export/license issues you'd have with the MIT codebase (and while
> they do exist for comercial software, they do not seem prohibitive)
> will also exist with Heimdal.
They don't, because heimdal isn't written in the US, so I don't have to go
near a US server to get it. If a US citizen wants to then download it
it's between them and their legal system, and not my problem (I do warn
people to check with their lawyers if they're unsure, though).
Similarly, with the MIT tarball, I grab it from the UK debian mirror as a
.deb and extract it. The export was not done by me & I haven't broken any
laws by downloading it.
However KFW is only available from MIT, and the only way to get it is to
bypass their 'are you in the US' checking. This makes it damned hard to
distribute, because I have to break some law or other to download it.
>
> ftp://ftp.sap.de/pub/ietf-work/
>
Ahh OK. It doesn't solve the server side, which is the bit of my
implementation that doesn't work properly also... The problem is that the
MS Kerberos doesn't have any equivalent of a keytab, and service
principals are a hack (ie. it doesn't really support them it aliases an
active username onto it). You need the plaintext password of the user
you've aliased the principal onto to create the correct security context,
which is a bit of a security problem (if the server is compromised locally the
attacker then has a valid login to the domain).
Tony
More information about the Kerberos
mailing list