KFW with NT4 domain

[Jeffrey Altman]

Franco Milicchio wrote:

> Jeffrey Altman wrote:
> 
>> Leash has the ability to extract the Kerberos 5 tickets obtained by 
>> Windows during the login process when the Windows domain controller is
>> Active Directory.  When the domain controller is NT4, there is no 
>> Kerberos 5 support available through Windows.  Therefore, Leash cannot
>> obtain Kerberos tickets from Windows.
> 
> 
> One moment... I didn't say NT has kerberos like AD has, I asked if the 
> behavior will be the same for NT-domain users like it's now for local 
> users.
> 
> So, matching user/password with k5 principal and afs pts entry, a user 
> will gain k5 ticket and token automatically, without prompts.
> 
> Users are from a nt-domain, not local.

Leash/KFW does not support integrated login.  Leash/KFW has no 
interaction with the username/password entered by the user when logging
into Windows.

As I stated in my first reply, you must be confusing the behavior of KFW
with the OpenAFS Integrated Login Network Provider which obtains an AFS
token for you using the username and password used to login to Windows.
AFS tokens are stored in the system global AFS Client Service.  Kerberos
tickets are stored in per-session credential caches.

>> Leash will allow the user to obtain Kerberos 5 tickets for any user
>> principal provided that the user knows the associated password.  Leash
>> will attempt to obtain AFS tokens if OpenAFS is installed.
>  
> Allow automatically or will present the leash interface asking for a 
> principal and password?

Leash will display a dialog if you configure it to do so.

> I'm just trying to understand before screwing up a windows client :)

I suggest you read the documentation:

	http://web.mit.edu/kerberos/kfw-2.6/kfw-2.6.5/leash_userdoc.pdf