replicating windows 2000 principals

Douglas E. Engert deengert at
Fri Sep 27 10:20:39 EDT 2002

Christos Ricudis wrote:
> On Thu, 2002-09-26 at 16:43, Eric Lee Steadle wrote:

> My main effort is to build a single system sign-on solution for our
> environment, consisting of AFS, W2K and Unix. I can persuade AFS to
> authenticate from a UNIX KDC, but not from Windows 2000 KDC, so I HAVE
> to use a UNIX KDC somewhere (I also feel more confident with unix, but
> that's another question).
No, AFS can be persuade to use a W2K AD for authenticiton. We can do that 
here via two methods. A modified aklog, called ak5log, uses the krb524d. 
For the W2K domain, we added code to the client to find the krb524d on a 
unix box rather then the same machine as the W2K AD. That was the old approach. 

The new approach is to use gssklog. The gssklog authenticate to a server 
running on one or more of the AFS database servers which returns an AFS token.

It does not use krb524, but rather authenticates using GSSAPI. It was
originally written to use the Globus GSI, but works just as well with the 
Kerberos GSSAPI.


> Christos Ricudis
> ricudis at
> ________________________________________________
> Kerberos mailing list           Kerberos at


 Douglas E. Engert  <DEEngert at>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444

More information about the Kerberos mailing list