Trusted Authorities between AD and MIT Kerberos

Douglas E. Engert deengert at anl.gov
Tue Sep 18 12:18:24 EDT 2007



Ido Levy wrote:
> Hello All,
> 
> I am planning to create trusted authorities between AD server and MIT based
> kerberos server.
> I would appreciate your advice/links on how it's possible to implement such
> system,  if it works properly and what is the known issues with such
> implementation.

Yes it works.

Just off the top of my head some issues:

   Start here: http://technet.microsoft.com/en-us/library/Bb742433.aspx

   AD 2003 and newer Kerberos can all do RC4, so you are not limited to DES.

   The Microsoft PAC in a ticket can make the ticket very large
   which might cause problems for some Unix applications
   see http://support.microsoft.com/kb/832572

   AD has a password for an account, but an account can have
   multiple UPN and SPNs. (The key for the principal is derived
   by the KDC from the password.) So best to have each service
   principal have its own account.

   Adding accounts with SPNs to AD can be done with ktpass
   Goolge for msktutil that uses OpenLDAP and SASL/gssapi to
   update AD and krytab files.  (Samba can do some of this too.)

   AD can do referrals, Kerberos still uses the krb5.conf [domain_realm]
   So AD clients may have problems finding services registed in
   a non AD realm. There is some way to use the Global Catalog
   to add the mapping.


> 
> Thank you.
> 
> Ido Levy
> IBM Haifa Labs, Israel
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list