KFW with NT4 domain

Jeffrey Altman jaltman2 at nyc.rr.com
Fri Mar 4 16:22:06 EST 2005 

Franco Milicchio wrote:


> What happens when, in the *same* situation stated above (openafs for 
> windows integrated login with kerberos for windows), a NT4 domain user 
> logs in?
> 
> So we have, a NT4 domain with users and machines, a KDC, an AFS cell (no 
> kaserver), a windows client authenticating on a NT4 domain. On the 
> client we install KFW, then OpenAFS enabling integrating login. Now, 
> will a remote user gain the token and all the tickets just the way a 
> local user does?

OpenAFS for Windows' Integrated Login behaves the same way.  You will
obtain an AFS token and not have any Kerberos 5 tickets in the logon
session.

> User docs are for users... I'm on the other side, trying to find 
> documents and simple answers, like yes or no :)

I am a developer.  You are a user.  You read the documentation that
I write to answer your questions.  Otherwise, I have no time to develop
the software. :)

Part of the problem is that you are not asking the right question.
The other part is that you are asking about the functionality of the
OpenAFS for Windows Integrated Login even though you do not think you
are.  Please read the installation notes for OpenAFS for Windows.
You might also consider searching the openafs-info mailing list
archives.

   https://lists.openafs.org/pipermail/openafs-info/

> I'm just trying to find a good way of having windows authenticate 
> remotely on our kerberos/afs infrastructure, so enabling the same user 
> name and password work on every operating system a user wants to use, 
> finding always the same home directory, trying not to have MS servers, 
> but just our linux ones. Samba will act as NT4 PDC, if we can handle 
> that, samba will not store any password using pam for authentication.

End user authentication to a Samba (NT4) PDC does not use Kerberos, it 
uses either plaintext passwords or NTLM.  If you are configuring Samba
to use PAM to validate the username/password combination, then you are
using plaintext passwords.  In other words, I can sniff the network and
watch every username/password combination used on your Windows domain
and there in your Kerberos realm.  DO NOT DO THIS!!!

In order to use NTLMv2, you must have a copy of the password database
available to Samba.

If you want to use Kerberos to authenticate end users, then you must use
Kerberos.  Either deploy an Active Directory with a cross-realm trust
to a non-AD KDC or deploy one of the AD workalikes.  You can travel to
the future and bring back a copy of Samba 4.  That will do what you
desire.

Jeffrey Altman

More information about the Kerberos mailing list