Windows 2K-based domain, UNIX-based Kerb/LDAP passthru

MattW mbw at u.washington.edu
Tue Jul 22 14:45:52 EDT 2003



Scott,

Sounds like we're both trying to do the same thing... Im at the
University of Washington in Seattle in a small group - we have
NT 4 now and are going to upgrade to windows 2000 w/active
directory soon and want to use a Linux-MIT-Kerberos server
as our master authentication.  So all passwords will reside
on the linux/MIT/Kerberos5 Server and Windows login
authentication will reference those credentials.

We havent implemented this yet, but we're in the process of
learning about it....

The best windows-side pages I've found about this are the following
link - I hope you'll find them useful...

http://www.coe.uncc.edu/~rmdyer/krblogon.htm

http://ofb.net/~jheiss/krbldap/

http://www.washington.edu/computing/support/windows/2000/altsecid.html

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp


-Matt


Scott Ehrlich wrote:
> I am preparing to implement either a Windows 2000 or Windows 2003 Server
> domain with AD for 1000+ people, and we plan to have separate UNIX-based
> Kerberos and LDAP servers.  This is for an MIT independent lab with a very
> heterogenious environment, so PAM (pluggable authentication modules) for
> the UNIX clients will not be friendly options.  I'm part of the system
> team.
> 
> The goal will be to set up the Win Server with AD, have Windows clients
> join as workstations.  Then, with accounts and security being shared
> between the LDAP and Kerberos servers, allow users to log into any
> workstation of choice (or multiple workstations), do whatever they want -
> (change passwords, work on research, etc), and have all authentication
> to/from the Windows clients simply pass through the domain controller, so
> we don't have to deal with two Kerberos and LDAP environments (one being
> the independent servers, the other being the domain controller).
> 
> The ultimate goal will be the ability of users to log into UNIX and
> Windows workstations alike with the same credentials, and all
> authentication pointing singly at the LDAP and Kerberos servers only.
> 
> Thanks for ANY leads.  I've got some URLs, but I want as much info as
> possible, for I'm the key implementor of this for the Microsoft-side :-|
> 
> Scott



More information about the Kerberos mailing list