Cross Realm AD<->MIT Trust, with realm name clash?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Mon Feb 6 11:48:29 EST 2006
>I must say it's quite a suprise that Windows can allow you this
>flexibility but MIT Kerberos doesn't. Is it really impossible with MIT
>Kerberos?
With the supplied tools, yes. In theory, you could write code to do it.
The real problem is that your keys are "salted" with the complete principal
name (the salt is one of the inputs to the algorithm that turns a password
into the actual encryption key Kerberos uses). There is a provision for
an "alternate" salt ... you could write code to transform the database,
and in the process store alternate salts for each key. This assumes that
all of your clients support alternate salts.
I believe Windows manages this by storing the actual plaintext passwords,
and thus can simply generate new keys from the passwords with the correct
salt. If you have a regular password expiration policy, you could "cheat"
a bit and store the plaintext passwords. Or even better, during the
password change you could store the "correct" salt. Either one of these
solutions requires writing some code ... and a password expiration policy.
--Ken
More information about the Kerberos
mailing list