Using kerberos w/o binding to active directory

David Carlin dcarlin3 at
Tue Feb 15 23:16:08 EST 2005

I have a file server on the campus active directory that contains the 
home directories for all the users of campus computer lab.  I would like 
for students to be able to connect to a share and access their files 
from their dorm PCs not on the active directory.  The complication here 
is since their dorm PCs are not bound to the active directory, they are 
not using Kerberos for authentication.  I'd like to come up with a set 
of instructions so they can get a Kerberos ticket and connect to the 
share, but I don't have a strong Kerberos background.

I have been able to do this on a mac by setting up an appropriate 
/Library/Preferences/ file (just like krb5.conf) and 
using the /System/Library/CoreServices/Kerberos application to get a 
ticket.  Once this happens, the Mac user is able to connect to the share 
and see their files.  This at least leads me to believe what I want to 
accomplish is possible.

Berkeley has a set of instructions for their students to do this.  Their 
AD also uses Kerberos for authentication:

It seems to have the students install a .reg file which has the same 
effect as running the neccessary ksetup.exe commands.  I have tried 
using this method to no avail - creating an analogous registry file by 
copying those keys from a working machine on the active directory.

The difference in the event logs on the server side between the failed 
windows connections and the successful MacOS 10.3 ones are this:

Successful Network Logon:
   User Name:  djc6
   Domain:     ADS
   Logon ID:      (0x0,0x64EC9)
   Logon Type: 3
   Logon Process: Kerberos
   Authentication Package: Kerberos

Login Failures all show:
   Logon Process: NtLmSsp
   Authentication Package: NTLM

So it seems I am missing something fundamental where the windows clients 
aren't even trying to use Kerberos for authentication.

Anyone have any ideas?


More information about the Kerberos mailing list