Interoperability between Linux KDC - Windows client

Priya Govindarajan govindap at us.ibm.com
Mon Feb 11 21:40:22 EST 2008


Hi,

I have some questions on interoperbility while kerberizing an application 
to provide Single Sign On support. Currently implementation uses GssAPI 
for linux kdc/server in linux/client in Linux and SSPI for Windows AD/ 
server on windows/client on windows.

I am trying the following interoperability case where Linux KDC , Server 
on Linux and client on Windows.  MIT leash is installed on windows machine 
and I am able to get the TGT from the Linux KDC. The logon authentication 
does not seem to happen through Linux kdc. Followed the steps here - 
http://technet.microsoft.com/en-us/library/bb742433.aspx

The application fails when windows client tries to initiliaze context 
(through SSPI calls) with no credentials found message. I am noticing that 
LSA cache does not have the credential but the MIT cache does.

I see ms2mit in Leash to convert LSA cache to MIT cache. Is there a way to 
authenticate windows client using Linux KDC and populate LSA cache for 
windows InitializeSecurityContext SSPI calls to pass. Or should i be 
calling gss_init_sec_context(which would read KRB5CCNAME location) instead 
of windows SSPI calls.

Thanks,
Priya


More information about the Kerberos mailing list