Password Syncing to Kerberos using SFU's ssod

John Hascall john at iastate.edu
Wed Jan 9 12:36:00 EST 2008


> Colin Simpson <Colin.Simpson at iongeo.com> wrote:
> > I'm looking at finding a new solution to syncing password between AD
> > and
> > Kerberos. We had been using CEDAR for this and it's great but the
> > passwdHK dll on windows hates it if you pass in 8 bit ascii passsword.

> AD already is Kerberos.  Why don't you just use your Active Directory 
> controllers as the Kerberos KDCs as well?

AD is approximately Kerberos.  And there are myriad reasons, technical,
politcal, organizational, and more, why an organization might not do so.

In our case, we wrote our own code to do the sync process.
For AD to MIT changes it is a DLL that hooks into the AD
as the 'local password quality checking' DLL.  On the MIT
side it was the insertion of a small bit of code in about
a half dozen places (princ create, update, delete, chpass,
etc) into the server-side kadm library.  If you check the
archives of this group, I'm pretty sure I've posted the
our server-side hooks (anyone who has added their own
incremental-kprop between MIT KDCs is doing essentially
the same thing).

John



More information about the Kerberos mailing list