replicating windows 2000 principals

Christos Ricudis ricudis at itc.auth.gr
Fri Sep 27 02:31:12 EDT 2002 

On Thu, 2002-09-26 at 16:43, Eric Lee Steadle wrote:
> You are correct, Microsoft does not implement the Kerberos Admin portion of
> the Kerberos spec. But I don't think you are totally out of luck.
> 
> As far as replication goes, yes, Microsoft uses a proprietary mechanism
> (Active Directory Multi-Master replication) to replicate not just account
> information, but all AD database information to each AD server. Reverse
> engineering this would be a significant effort. Fortunately, I don't think you
> need to do this since there's another way.
> 
> I believe the best way to do this is to use an LDAP client to talk to the LDAP
> / Active Directory and query for account information, then stuff that
> information into your slave KDC yourself using the MIT Kerberos administrative
> interface. OpenLDAP can talk to a Windows AD Server (we've done something
> similar here to create accounts in the Active Directory -- but I can't send
> you any details because my company considers it proprietary information).
> Since AD replicates all of the database for you, you can talk to any AD
> server.
> 
> The LDAP interface requires that you first authenticate (via Kerberos)
> yourself as a user with sufficient privileges to query the AD server. We've
> done that here as well, and it's pretty easy if you use the MIT Kerberos
> libraries. They will talk to a Windows KDC and retrieve tickets for use with
> LDAP. Very cool. Chekc out this link:
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
> 
> Hope this gets you started in the right direction...

I know about authentication, my main problem is replication. I had
thought of replicating the AD information into an LDAP database and then
feeding this to a UNIX KDC - but this way I'd lost the passwords of the
principals - or I'm missing something here? 

My main effort is to build a single system sign-on solution for our
environment, consisting of AFS, W2K and Unix. I can persuade AFS to
authenticate from a UNIX KDC, but not from Windows 2000 KDC, so I HAVE
to use a UNIX KDC somewhere (I also feel more confident with unix, but
that's another question). 

One way is to replicate all AD information into an OpenLDAP/MITkrb5
combination - this way, Windows clients would authenticate to AD, UNIX
clients would authenticate to OpenLDAP/MITkrb5, and the single point of
management would be the windows AD.

Another solution would be to create an administrative front-end that
manages account information and add/delete/modify information both to
the AD, LDAP, and Unix KDC - but then I'll need to worry about keeping
everything in sync. 

Christos Ricudis
ricudis at itc.auth.gr

More information about the Kerberos mailing list