Cross Realm AD<->MIT Trust, with realm name clash?
Jeffrey Altman
jaltman2 at nyc.rr.com
Mon Feb 6 12:18:33 EST 2006
Ken Hornstein wrote:
> I believe Windows manages this by storing the actual plaintext passwords,
> and thus can simply generate new keys from the passwords with the correct
> salt. If you have a regular password expiration policy, you could "cheat"
> a bit and store the plaintext passwords. Or even better, during the
> password change you could store the "correct" salt. Either one of these
> solutions requires writing some code ... and a password expiration policy.
This is part of what Windows does. Active Directory in Windows 2003
allows you to provide the KDC multiple names. This allows you to make
the transition without requiring a flag day. You start the process by
associating an alias for the new domain name. Then you perform a
transformation on the database for all of the client machines. Then
the alias and the official name are swapped.
You then run this way for as long as you need to in order for the client
machines to contact active directory and have a client machine rename
operation, which includes a reboot, to occur.
Finally, you delete the alias to the old domain name.
Jeffrey Altman
More information about the Kerberos
mailing list