MIT KDC & Windows Client - change password & cross realm referral
Lara Adianto
m1r4cle_26 at yahoo.com
Fri May 28 08:55:45 EDT 2004
Hello,
I've been experimenting with heimdal kerberos on the
cross-realm authentication, for windows 2000 clients
to authenticate to heimdal KDC, and just found out
that there seems to be a problem with the changing
password interoperability between the win2k client and
heimdal KDC.
Therefore, I intend to switch to MIT Kerberos but need
to confirm the interoperability features of MIT KDC
and windows clients:
1. Is the any issue of change password incompatibility
between MIT KDC and windows clients ? Will a user from
a win2k / winXP machine be able to change his/her
password in MIT KDC using ctrl-alt-del or when the
password is expired ?
In the following link:
http://mailman.mit.edu/pipermail/kerberos/2004-April/005326.html,
Jeffrey Altman wrote:
"I have just tested MIT KDC 1.3.3 with two machines.
One which is part of a Windows domain which uses
cross-realm
trust with a MIT KDC to perform login. In this case
the
password change does not appear to work on
expiration."
Has anyone found a way to solve the above problem ? or
is this still a limitation of the interoperability
between MIT Kerberos KDC and windows client ?
2. Quoting from the paper of Michael Swift, Irina
Kosinovsky and Johathan Trostle titled Implementation
of Crossrealm Referral Handling in the MIT Kerberos
Client:
"The Windows 2000 client does not canonicalize names
at all, so the short name is sent to the KDC."
Hence, if my understanding is correct, a request for
service: host/service-name.foo.org will be sent to MIT
Kerberos KDC as host/service-name at KERBEROS.REALM and
not as host/service-name.foo.org at KERBEROS.REALM
How does MIT Kerberos determine the 'right' realm
to be used in issuing a referral ticket for the
client's request ? DNS ? Krb5.conf ? Does this mean
that every service-name must have an entry in the DNS
or Krb5.conf. For example:
serviceA = realmA
serviceB = realmB
This will be tedious if we have to specify the mapping
for every possible service or host that we have in a
domain one by one right ?
Regards,
lara
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
More information about the Kerberos
mailing list