Installed Kerberos, and now?
hairydamon@hotmail.com
hairydamon at hotmail.com
Wed Oct 12 06:54:14 EDT 2005
You can't. Microsoft have proprietary extentions to Kerberos/LDAP etc
that means its impossible to get a Microsoft product using a non-M$ KDC
in the manner you (everyone) would like.
There are some pretty horrible crappy ways of making a Windows
workstation speak to a Non-M$ KDC but it's rubbish - basically involves
setting up local accounts on your workstation and then mapping those
local accounts onto kerberos principals in your non-M$ KDC. This might
be OK as a silly toy exercise or as a vague justification for claiming
your (M$) product is actually Kerberos compliant but if you've got any
reasonable number of workstations (i.e. more than one) then it's a
pain. There's an article in Techweb somewhere on the M$ website that
explains how to do it - although I don't think the instructions they
give actually work.
You appear to be making the mistake many make of thinking that M$ AD is
simply kerberos - it's not.
Microsoft Active Directory is a propietary fusion on LDAP, Kerberos,
DHCP and DDNS. There are enough extentions to the standards to make it
absolutely impossible to get a M$ product speaking to a non M$ product.
When M$ talk about interoperability they are actually talking about
making non-M$ products talk to AD (prior to your eventualy migration to
their fabulous product) not the other way around. For instance
Microsoft want you controlling your UNIX workstations using AD prior to
upgrading to Windows XP/2003/05/long horn/horn swaggler etc. AD will
provide enough compliance with Kerberos and LDAP standards that a UNIX
workstation would be able to use it as a source for account information
(although you do have to extend your AD schema for it to work).
In short what you are trying is impossible (that's why Bill is the
richest man on earth). If you want Windows Server functionality to
manage and control your windows workstations then you need a Windows
Server running AD. M$ have made a very successful business out of
locking customer in and keeping the competition out - if it was easy
(or even possible) to replace a Windows AD server with (non M$)
products then no doubt the M$ lawyers would be destroying people with
billion dollar law suits.
More information about the Kerberos
mailing list