Heimdal KDC, Windows XP and local users
Jeffrey Altman
jaltman at secure-endpoints.com
Wed Jan 9 11:19:18 EST 2008
Christopher D. Clausen wrote:
> Victor Sudakov <vas at mpeks.no-spam-here.tomsk.su> wrote:
>> I have configured Windows XP to use a Heimdal KDC for user
>> authentication. All existing Windows users can authenticate against
>> the KDC, user
>> mapping is "ksetup /mapuser * *".
>>
>> However, Windows does not create a new local user with the same name
>> as the Kerberos princical I try to authenticate as.
>
> No, Windows does not, nor should it. You mapped all principals to a
> single user account. If you want seperate accounts, you'll need to
> actually create the accounts ahead of time and map the principal to the
> individual accounts.
"ksetup /mapuser * *" does not map all users to a single account. It
maps Kerberos principals to local accounts (if they exist) whose
username matches the first component of the principal.
However, Windows will not create accounts on the fly. A GINA could
definitely do that for XP (but not Vista). I don't know if a Network
Provider could do it. I'm thinking not because by the time the Network
Provider has been called I believe the SID of the user must be determined.
Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20080109/ab2f3a13/attachment.bin
More information about the Kerberos
mailing list