Windows 2000 Server as KDC

Mel Riser mel.riser at fxfn.com
Tue Jul 22 11:05:49 EDT 2003


EXACTLY

plus the krb4 versions had so many bad security flaws, we had no choice. when the bad krb4 bug came out last year, we removed any dependencies or backwards compatible 4 code and just use 5.

mel

-----Original Message-----
From: Ken Hornstein [mailto:kenh at cmf.nrl.navy.mil]
Sent: Tuesday, July 22, 2003 9:52 AM
To: John Rudd
Cc: kerberos at mit.edu
Subject: Re: Windows 2000 Server as KDC 


>> an easier solution would be to setup a windows realm for Win2k KDC and a cross re
>alm trust with a linux box in a different realm.
>> 
>
>We were doing this (with Solaris, not Linux), but when the bug and fix
>for the cross-realm security hole came out a few months ago, that caused
>it all to break (we need krb4 cross-realm auth because AFS is in the
>picture).  So, we're basically running an older un-patched krb524d in
>order to keep things working ... but that doesn't make me comfortable in
>the long run, so I'm looking for other solutions.

So why haven't you switched to a V5 solution for AFS?  Lots of people
have done this, and it works just fine, even with cross-realm.  This
is assuming you're running a new enough version of OpenAFS, of course.

--Ken
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list