Trusted Authorities between AD and MIT Kerberos
Douglas E. Engert
deengert at anl.gov
Tue Sep 18 12:18:24 EDT 2007
Ido Levy wrote:
> Hello All,
>
> I am planning to create trusted authorities between AD server and MIT based
> kerberos server.
> I would appreciate your advice/links on how it's possible to implement such
> system, if it works properly and what is the known issues with such
> implementation.
Yes it works.
Just off the top of my head some issues:
Start here: http://technet.microsoft.com/en-us/library/Bb742433.aspx
AD 2003 and newer Kerberos can all do RC4, so you are not limited to DES.
The Microsoft PAC in a ticket can make the ticket very large
which might cause problems for some Unix applications
see http://support.microsoft.com/kb/832572
AD has a password for an account, but an account can have
multiple UPN and SPNs. (The key for the principal is derived
by the KDC from the password.) So best to have each service
principal have its own account.
Adding accounts with SPNs to AD can be done with ktpass
Goolge for msktutil that uses OpenLDAP and SASL/gssapi to
update AD and krytab files. (Samba can do some of this too.)
AD can do referrals, Kerberos still uses the krb5.conf [domain_realm]
So AD clients may have problems finding services registed in
a non AD realm. There is some way to use the Global Catalog
to add the mapping.
>
> Thank you.
>
> Ido Levy
> IBM Haifa Labs, Israel
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list