Windows 2K-based domain, UNIX-based Kerb/LDAP passthru
Tim Alsop
Tim.Alsop at CyberSafe.Ltd.UK
Thu Jul 24 14:54:43 EDT 2003
Matt, Scott,
You can also refer to a white paper which was written jointly by Microsoft and our company (CyberSafe) and explains some of the common deployment scenarios for UNIX and Active Directory.
This paper is available for download at :
http://www.cybersafe.ltd.uk/docs_cybersafe/Kerberos%20Interoperability%20-%20Microsoft%20W2k%20&%20ActiveTRUST.pdf
Thanks, Tim.
-----Original Message-----
From: MattW [mailto:mbw at u.washington.edu]
Sent: 22 July 2003 19:46
To: kerberos at mit.edu
Subject: Re: Windows 2K-based domain, UNIX-based Kerb/LDAP passthru
Scott,
Sounds like we're both trying to do the same thing... Im at the University of Washington in Seattle in a small group - we have NT 4 now and are going to upgrade to windows 2000 w/active directory soon and want to use a Linux-MIT-Kerberos server as our master authentication. So all passwords will reside on the linux/MIT/Kerberos5 Server and Windows login authentication will reference those credentials.
We havent implemented this yet, but we're in the process of learning about it....
The best windows-side pages I've found about this are the following link - I hope you'll find them useful...
http://www.coe.uncc.edu/~rmdyer/krblogon.htm
http://ofb.net/~jheiss/krbldap/
http://www.washington.edu/computing/support/windows/2000/altsecid.html
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
-Matt
Scott Ehrlich wrote:
> I am preparing to implement either a Windows 2000 or Windows 2003
> Server domain with AD for 1000+ people, and we plan to have separate
> UNIX-based Kerberos and LDAP servers. This is for an MIT independent
> lab with a very heterogenious environment, so PAM (pluggable
> authentication modules) for the UNIX clients will not be friendly
> options. I'm part of the system team.
>
> The goal will be to set up the Win Server with AD, have Windows
> clients join as workstations. Then, with accounts and security being
> shared between the LDAP and Kerberos servers, allow users to log into
> any workstation of choice (or multiple workstations), do whatever they
> want - (change passwords, work on research, etc), and have all
> authentication to/from the Windows clients simply pass through the
> domain controller, so we don't have to deal with two Kerberos and LDAP
> environments (one being the independent servers, the other being the domain controller).
>
> The ultimate goal will be the ability of users to log into UNIX and
> Windows workstations alike with the same credentials, and all
> authentication pointing singly at the LDAP and Kerberos servers only.
>
> Thanks for ANY leads. I've got some URLs, but I want as much info as
> possible, for I'm the key implementor of this for the Microsoft-side
> :-|
>
> Scott
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list