Kerberos v5

Richard E. Silverman res at qoxp.net
Fri May 19 21:38:42 EDT 2006 

>>>>> "SM" == Sacha Mirambeau <Sacha_Mirambeau at appliedcard.com> writes:

    SM> We are planning to transition our enterprise to a scenario where
    SM> all platforms will authenticate to Active Directory via Kerberos.
    SM> MIT Kerberos v5 Rel. 1.4.3 appears to be the candidate to
    SM> facilitate authentication from our Unix, Linux/Fedora platforms.

Your Unix users can authenticate directly to AD; there is no need for a
separate realm for that.  Running kerberized services (or password
verification) on Unix requires putting those service principals in AD,
i.e. creating AD accounts for those machines with the needed principals.
You can create a separate realm for the Unix machines with realm trust to
the AD realm in place, but with this problem: the Windows machines will
not recognize that the Unix machines are in the other realm.  This is
because Windows does not use the traditional mechanisms to determine the
realm of a host, i.e. DNS or static configuration.  Instead, Windows
clients rely on referrals from their local domain controllers, and the
DC's only refer to realms associated with other AD domains in their
forest.  I have been trying to find a way now for a month or so, to cajole
Windows into issuing referrals to external realms, without success.  I've
tried several different approaches, and I have a case open with Microsoft
support on it right now.

The problem can be elegantly solved by changing the Windows clients logon
realm to a Unix one, with trust in place to the AD realm for obtaining
Windows service tickets with the PAC, but this is probably too big a
change for us to deploy.

Irritatingly, Microsoft supports static configuration on 2003 server,
which is what our DC's run -- but only for Kerberos clients; the KDC does
not consult it.  They are not willing to make that change, nor to port the
static configuration feature to XP, which our desktops run.

Another route is avoiding SSPI altogether, using the KfW GSSAPI library
instead.  Several important Windows clients support this, including
Firefox (1.5), some forks of PuTTY, and VanDyke SSH.  But of course IE
doesn't, and you never know when you'll want to use something else that
doesn't.

I'm not out of ideas yet, though, and if I find a solution I will post
here.  I did post about this here sometime back, but got no response.

-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list