Windows 2K-based domain, UNIX-based Kerb/LDAP passthru
MattW
mbw at u.washington.edu
Tue Jul 22 14:45:52 EDT 2003
Scott,
Sounds like we're both trying to do the same thing... Im at the
University of Washington in Seattle in a small group - we have
NT 4 now and are going to upgrade to windows 2000 w/active
directory soon and want to use a Linux-MIT-Kerberos server
as our master authentication. So all passwords will reside
on the linux/MIT/Kerberos5 Server and Windows login
authentication will reference those credentials.
We havent implemented this yet, but we're in the process of
learning about it....
The best windows-side pages I've found about this are the following
link - I hope you'll find them useful...
http://www.coe.uncc.edu/~rmdyer/krblogon.htm
http://ofb.net/~jheiss/krbldap/
http://www.washington.edu/computing/support/windows/2000/altsecid.html
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
-Matt
Scott Ehrlich wrote:
> I am preparing to implement either a Windows 2000 or Windows 2003 Server
> domain with AD for 1000+ people, and we plan to have separate UNIX-based
> Kerberos and LDAP servers. This is for an MIT independent lab with a very
> heterogenious environment, so PAM (pluggable authentication modules) for
> the UNIX clients will not be friendly options. I'm part of the system
> team.
>
> The goal will be to set up the Win Server with AD, have Windows clients
> join as workstations. Then, with accounts and security being shared
> between the LDAP and Kerberos servers, allow users to log into any
> workstation of choice (or multiple workstations), do whatever they want -
> (change passwords, work on research, etc), and have all authentication
> to/from the Windows clients simply pass through the domain controller, so
> we don't have to deal with two Kerberos and LDAP environments (one being
> the independent servers, the other being the domain controller).
>
> The ultimate goal will be the ability of users to log into UNIX and
> Windows workstations alike with the same credentials, and all
> authentication pointing singly at the LDAP and Kerberos servers only.
>
> Thanks for ANY leads. I've got some URLs, but I want as much info as
> possible, for I'm the key implementor of this for the Microsoft-side :-|
>
> Scott
More information about the Kerberos
mailing list