Login to XP workstation in WIndows Server 2003 2k3 AD domain

[Thomas Schweizer]

> Active Directory domain, but we would like them to authenticate to an MIT
> Kerberos KDC through a trust arrangement. We don't want the MIT
> Kerberos KDC to have to know and trust each individual workstation, we
> want it to only know about the Windows Server 2003 domain controller.
> In other words I don't want to point 100 XP workstations at the KDC
> for authentication, I want them to just sign into the AD domain but
> get authenticated by the fact that they have a valid account in the
> MIT kerberos KDC.
> 
> Is this even possible?

Yes that's possible. It should be quite easy to setup (some time ago I 
got it to work). Take a look at:

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

The section "Setting Trust with a Kerberos Real" is relevant for your 
needs. Don't forget to create the account mapping in the AD directory 
for each user (this is needed because of the Windows authorization 
model, i.e. Windows needs to know in which (domain-)groups you are etc).

Note: this setup will only allow Kerberos authentication, no NTLM will 
be available (under some circumstances Windows will transparantly fall 
back to NTLM, e.g. if you want to access the shares of computer using a 
plain IP-address such as \\192.168.10.12\share_name).
The current Samba 3.x branch doesn't support cross-realm trusts with 
non-Windows realms, AFAIK.
Your KDC should be allowed to issue DES keys because I think for 
cross-realm trusts between AD and MIT krb5 these have to be DES ones.

Hope this will help you.

Thomas