Installed Kerberos, and now?

Matthew Joyce mjoyce at vtsystems.com
Wed Oct 12 14:57:29 EDT 2005


hairydamon at hotmail.com wrote:
> You can't. Microsoft have proprietary extentions to Kerberos/LDAP etc
> that means its impossible to get a Microsoft product using a non-M$ KDC
> in the manner you (everyone) would like.
>
> There are some pretty horrible crappy ways of making a Windows
> workstation speak to a Non-M$ KDC but it's rubbish - basically involves
> setting up local accounts on your workstation and then mapping those
> local accounts onto kerberos principals in your non-M$ KDC. This might
> be OK as a silly toy exercise or as a vague justification for claiming
> your (M$) product is actually Kerberos compliant but if you've got any
> reasonable number of workstations (i.e. more than one) then it's a
> pain. There's an article in Techweb somewhere on the M$ website that
> explains how to do it - although I don't think the instructions they
> give actually work....
Heh I cut this... but a lot of what you were saying while somewhat 
correct was misleading.  Active Directory can work fine in a Unix 
environment.  A lot of folks do it.  I do.  In fact setting up Active 
directory to authenticate off kerb5 and hand out kerb5 tgts.  Same goes 
for sub services... you can totally use bind9 in tandem with active 
directory.

The sketchy area is a unified directory service.  Maybe someone else has 
better info than I.  We currently maintain both Active directory and an 
openldap server in our environment.  I'd be interested in hearing what 
others have done to unify their directory services between windows and 
unix environments.

But as far as synchronizing unix and windows authentication... kerberos 
works dandy in both areas.  =D
Being able to do GSSAPI-wit-mit authentication to servers with my active 
directory given MIT tgts... is just plain cool. 

-- 
Best regards,

Matthew Joyce        	             System Administrator
Tel: 212.871.1747 x329        Visual Trading Systems, LLC
Mobile: 917.596.9619                 mjoyce at vtsystems.com

The information contained in this E-mail message is privileged,
confidential, and maybe protected from disclosure; please be aware that
any other use, printing, copying, disclosure or dissemination of this
communication maybe subject to legal restrictions or sanctions.  If you
think that you received this E-mail message in error, please reply to
the sender.



More information about the Kerberos mailing list