replicating windows 2000 principals
Douglas E. Engert
deengert at anl.gov
Fri Sep 27 10:20:39 EDT 2002
Christos Ricudis wrote:
>
> On Thu, 2002-09-26 at 16:43, Eric Lee Steadle wrote:
>
> My main effort is to build a single system sign-on solution for our
> environment, consisting of AFS, W2K and Unix. I can persuade AFS to
> authenticate from a UNIX KDC, but not from Windows 2000 KDC, so I HAVE
> to use a UNIX KDC somewhere (I also feel more confident with unix, but
> that's another question).
>
No, AFS can be persuade to use a W2K AD for authenticiton. We can do that
here via two methods. A modified aklog, called ak5log, uses the krb524d.
For the W2K domain, we added code to the client to find the krb524d on a
unix box rather then the same machine as the W2K AD. That was the old approach.
The new approach is to use gssklog. The gssklog authenticate to a server
running on one or more of the AFS database servers which returns an AFS token.
It does not use krb524, but rather authenticates using GSSAPI. It was
originally written to use the Globus GSI, but works just as well with the
Kerberos GSSAPI.
See ftp://achilles.ctd.anl.gov/pub/DEE/README.GSSKLOG
and ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.6.tar
>
> Christos Ricudis
> ricudis at itc.auth.gr
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list