replicating windows 2000 principals
Clint Chaplin
cchaplin at sj.symbol.com
Thu Sep 26 21:13:45 EDT 2002
Um, in the user account in AD, you can set an option to not require pre-auth. I would reccommend that you do so. If you do not, then the AS_REP will be so big that the Microsoft KDC will send it using TCP/IP instead of UDP/IP. Most clients will not expect this.
There is an option you can set in the AS_REQ to not have the AS_REP be so big, but that would require you to modify the code that generates the AS_REQ, which is not a trivial task.
Clint (JOATMON) Chaplin
>>> Luke Howard <lukeh at padl.com> 9/26/02 07:44:11 >>>
>I am trying to replicate the kerberos database from a Windows 2000 AD
>server to a UNIX krb5 KDC. Problem is that, although Microsoft mentions
>kprop in its Kerberos 5 interoperability document, this service is
>nowhere to be found in Windows 2000.
>
>Some documents in MSDN report that "windows 2000 is not using the
>kerberos replication protocol for replication of the user database, but
>a proprietary ADSI based protocol".
Well, the protocol is no based on ADSI -- that is an API -- rather it is
a DCE RPC-based protocol.
>Is there a way to replicate the Windows 2000 kerberos database on a UNIX
>slave KDC?
Not that I am aware of.
-- Luke
--
Luke Howard | PADL Software Pty Ltd | www.padl.com
________________________________________________
Kerberos mailing list Kerberos at mit.edu
http://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list