Installed Kerberos, and now?
Matthew Joyce
mjoyce at vtsystems.com
Wed Oct 12 14:57:29 EDT 2005
hairydamon at hotmail.com wrote:
> You can't. Microsoft have proprietary extentions to Kerberos/LDAP etc
> that means its impossible to get a Microsoft product using a non-M$ KDC
> in the manner you (everyone) would like.
>
> There are some pretty horrible crappy ways of making a Windows
> workstation speak to a Non-M$ KDC but it's rubbish - basically involves
> setting up local accounts on your workstation and then mapping those
> local accounts onto kerberos principals in your non-M$ KDC. This might
> be OK as a silly toy exercise or as a vague justification for claiming
> your (M$) product is actually Kerberos compliant but if you've got any
> reasonable number of workstations (i.e. more than one) then it's a
> pain. There's an article in Techweb somewhere on the M$ website that
> explains how to do it - although I don't think the instructions they
> give actually work....
Heh I cut this... but a lot of what you were saying while somewhat
correct was misleading. Active Directory can work fine in a Unix
environment. A lot of folks do it. I do. In fact setting up Active
directory to authenticate off kerb5 and hand out kerb5 tgts. Same goes
for sub services... you can totally use bind9 in tandem with active
directory.
The sketchy area is a unified directory service. Maybe someone else has
better info than I. We currently maintain both Active directory and an
openldap server in our environment. I'd be interested in hearing what
others have done to unify their directory services between windows and
unix environments.
But as far as synchronizing unix and windows authentication... kerberos
works dandy in both areas. =D
Being able to do GSSAPI-wit-mit authentication to servers with my active
directory given MIT tgts... is just plain cool.
--
Best regards,
Matthew Joyce System Administrator
Tel: 212.871.1747 x329 Visual Trading Systems, LLC
Mobile: 917.596.9619 mjoyce at vtsystems.com
The information contained in this E-mail message is privileged,
confidential, and maybe protected from disclosure; please be aware that
any other use, printing, copying, disclosure or dissemination of this
communication maybe subject to legal restrictions or sanctions. If you
think that you received this E-mail message in error, please reply to
the sender.
More information about the Kerberos
mailing list