Unify Unix and NT accounts with kerberos

Digant Kasundra digant at uta.edu
Thu May 1 17:36:26 EDT 2003


At University of Texas at Arlington, we're still working on a similar task
to provide a single username and password to students on all 4 of our
platforms (Windows, Linux, Tru64, and Solaris).

So far, we have done testing with Kerberos and LDAP to authenticate Unix
users against Active Directory.  The results have been okay, but not
acceptable.  

Speaking of Kerberos specifically, we tested with Linux against Active
Directory and were able to authenticate users without a problem.  But, for
instance, if the person's password had expired, the pam_krb5 module was
unable to recognize this during the accounting part (it would recognize it
during the authentication part but based on PAM standards, asking a user to
change their password should be done in the accounting part).

But for the normal case where a user has an account on a Unix system and a
username and password stored in Active Directory (that isn't expired, or
locked, or anything else weird), pam_krb5 works like a charm to authenticate
the user using Kerberos v5.

FYI, pam_ldap also has major short comings when it comes to handling these
special cases (e.g. password expirations, etc).

We are planning to begin work on our own module called pam_ad that will be
designed specifically to integrate Kerberos and LDAP for the purpose of
authenticating and handling accounting against Active Directory.

-- Digant

> -----Original Message-----
> From: Jerome Walter [mailto:walter+SP at M.efrei.fr] 
> Sent: Thursday, May 01, 2003 4:04 PM
> To: kerberos at MIT.EDU
> Subject: Unify Unix and NT accounts with kerberos
> 
> 
> Good evening everyone,
> 
> I have been asked to study and implement a technology to 
> unify accounts and data between NT (2000), Unix (Solaris) and 
> GNU/Linux stations.
> 
> For the moment, i think Kerberos would be the best (the only 
> one ?) solution to have the same password between NT and 
> Unix, is it true ?
> 
> Am i wrong or anyone have ever had problems trying to use 
> samba + Kerberos to get a domain for NT stations "compatible" 
> with GNU/Linux and Unix ?
> 
> 
> Could you please give me advices about KDC to use, points to 
> be careful of or any other way to have these passwords synced 
> without authenticating Unix stations over the Windows domain.
> 
> Best regards,
> 
> 
> Jerome Walter
> 
> -- 
> -+--   Jérôme Walter - 	I2 EFREI		          ----+-
>  Equipe Système - Efrei Robotique - Jap'Efrei - Erasmus 
> Tutors  "The World is my country" - "Nihon no tomodachi desu" 
> EFREI System and Networking guide http://perso.efrei.fr/~walter/  
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



More information about the Kerberos mailing list