KFW with NT4 domain
Franco Milicchio
milicchio at wisc.edu
Fri Mar 4 14:59:50 EST 2005
Jeffrey Altman wrote:
> Leash/KFW does not support integrated login. Leash/KFW has no
> interaction with the username/password entered by the user when logging
> into Windows.
>
> As I stated in my first reply, you must be confusing the behavior of KFW
> with the OpenAFS Integrated Login Network Provider which obtains an AFS
> token for you using the username and password used to login to Windows.
> AFS tokens are stored in the system global AFS Client Service. Kerberos
> tickets are stored in per-session credential caches.
Yes. Of course. But I'm sure it's me not explaining in the right way...
let me make myself clear.
Using OpenAFS integrated login with Kerberos 5 for windows, a local
user, matching user name and password with Kerberos principal and
OpenAFS pts entry, gains the AFS token and two tickets (afs/cell at REALM
and krbtgt).
Now. We're talking about a *local* user. I don't care about local users.
They work.
What happens when, in the *same* situation stated above (openafs for
windows integrated login with kerberos for windows), a NT4 domain user
logs in?
So we have, a NT4 domain with users and machines, a KDC, an AFS cell (no
kaserver), a windows client authenticating on a NT4 domain. On the
client we install KFW, then OpenAFS enabling integrating login. Now,
will a remote user gain the token and all the tickets just the way a
local user does?
> Leash will display a dialog if you configure it to do so.
...
> I suggest you read the documentation:
>
> http://web.mit.edu/kerberos/kfw-2.6/kfw-2.6.5/leash_userdoc.pdf
User docs are for users... I'm on the other side, trying to find
documents and simple answers, like yes or no :)
I'm just trying to find a good way of having windows authenticate
remotely on our kerberos/afs infrastructure, so enabling the same user
name and password work on every operating system a user wants to use,
finding always the same home directory, trying not to have MS servers,
but just our linux ones. Samba will act as NT4 PDC, if we can handle
that, samba will not store any password using pam for authentication.
--
Franco Milicchio <mailto:milicchio at wisc.edu>
No keyboard found. Press F1 to continue...
(Almost every BIOS available in this world... even yours!)
More information about the Kerberos
mailing list