Windows with MIT krb5 and OpenLDAP

Sensei noone at nowhere.org
Sat Apr 10 05:13:12 EDT 2004


Brian Davidson wrote:
> As Jeffrey said,
> MIT + standalone windows works if you map Kerb principal to user on the 
> Windows box.

This means adding users on the windows clients... just the thing I want 
to avoid :)

> MIT + AD also works, if you set up cross-realm auth (AD trusts MIT, MIT 
> doesn't trust AD works)

This is another thing: creating an AD server, and for all newly created 
principal/afs users I will have to create a user on the AD server... A 
middle-way solution...

> This last issue isn't doable at this point, because of the PAC issue.  
> OpenLDAP isn't sufficient to replace AD. [...]
> 
> I suggest that you also check with the Samba group, as I think they've 
> been working on solving this problem.

Ok, I'll try some samba groups...

>  I'm pretty sure you'll have to 
> run Kerberos and LDAP on the same box (whenever someone gets it 
> working), and quite possibly Samba too.

AFS, Kerberos and LDAP are currently on the same server... and I'll keep 
it so...


More information about the Kerberos mailing list