Win logon to a MIT Kerberos V KDC?

Luke Howard lukeh at PADL.COM
Thu Sep 26 11:16:37 EDT 2002

>Just thinking that it might be a little like NSS/PAM. In Linux
>I need Lib{PAM,NSS}-LDAP for uid/gid number mapping etc (authorization)
>and LibPAM-Krb5 for password (authentication)...

The Windows "solution" is, as previously mentioned, to have a local or
Active Directory account for the user. That's where the authorization
information comes from (in an AD domain it is included in the
authorization data field of the ticket). Note that enhancing a KDC to
supply the necessary authorization data is not sufficient to eliminate
the need for an local or Active Directory account. It is, as one might
expect, a significantly more involved problem.

>    Luke> Did you set the machine password with ksetup and create a
>    Luke> machine principal on your KDC with the same password?
>Yes. I first tried with a random passwd and add that to the keytab.
>I then found the link to the step-by-step guide, so I re-did it,
>this time without adding it to the keytab.

Which keytab? There is no keytab on a Windows 2000 workstation. You
need to do ksetup /SetComputerPassword to set the machine password
in the LSA secret store. You can verify this with lsadump2.

-- Luke

Luke Howard | PADL Software Pty Ltd |

More information about the Kerberos mailing list