Authenitcating Windows users with MIT Kerberos

Jason T Hardy jthardy at uta.edu
Wed Mar 24 14:56:50 EST 2004 

We've been testing MIT Kerberos as a centralized authentication
mechanism for Linux/UNIX and Windows boxes for the past several months.
My test setup consists of one master and two slave (read only) KDC's
runing RHEL AS 3.0 and a myriad of clients. So far, all is well on the
Linux/UNIX client side, but I keep running into a problem with the
Windows client setup, ksetup on WinXP specifically. 

The ksetup utility doesn't allow me to specify an admin server separate
from my KDCs. I would like all of the "normal" ticket requests to go to
the slave KDCs and the "admin" traffic to go to the admin server. 

As it stands, I cannot change passwords on the Windows box unless I've
only specified the admin server. Not only is this a drain on my admin
server's resources, it's a single point of failure for my Windows
clients.

I can see a few solutions, but haven't found anyone that's put together
a good tutorial for doing this yet:

(1) Allow for multi-master admin servers -- Microsoft seems to have this
in AD, but from my research, the master KDC is a single point of failure
in the MIT implementation. If this worked, delta-level replication would
happen from KDC to KDC (no more master -> slave propagation).

(2) Alter the Kerberos setup under Windows to specify separate admin and
KDC servers. This would solve my immediate problem, but it still appears
to me that a single admin server is a single point of failure for
password changes.

(3) Redirect admin server requests at the slave KDCs. I'm not even sure
if this would work, but if I were to set up a NAT tunnel from the
kpasswd service on my slave KDC to my admin server (and back again), the
client would think that the slave is handling the password change
request.

I'm sure that there are more issues that I haven't thought of or run
into yet. I'd appreciate any guidance that you may be able to provide.

Thank you,
Jason Hardy

-- 
Jason T Hardy
Unix Systems Administrator
Office of Information Technology
University of Texas at Arlington

http://www.uta.edu/linux/

More information about the Kerberos mailing list