Heimdal KDC, Windows XP and local users
Victor Sudakov
vas at mpeks.no-spam-here.tomsk.su
Wed Jan 9 22:12:54 EST 2008
Christopher D. Clausen wrote:
> > I have configured Windows XP to use a Heimdal KDC for user
> > authentication. All existing Windows users can authenticate against
> > the KDC, user
> > mapping is "ksetup /mapuser * *".
> >
> > However, Windows does not create a new local user with the same name
> > as the Kerberos principal I try to authenticate as.
> No, Windows does not, nor should it.
It is a pity.
Windows does it quite well with a Windows domain and with pGina,
so I expected the same behavior for a Kerberos realm. Perhaps there is
some key in the registry to enable creation of local users/profiles
for Kerberos principals?
> You mapped all principals to a
> single user account.
Actually not.
> If you want seperate accounts, you'll need to
> actually create the accounts ahead of time and map the principal to the
> individual accounts.
In fact, the "* *" mapping works fine for any local account if it
a) has the same name as the corresponding Kerberos principal and
b) has been created ahead of time.
The only problem is creation of local accounts/profiles on the fly.
> > Can this be helped? I want to create a new user in the Kerberos
> > database only, and this user's profile on the Windows machine should
> > be created automatically.
> You may be able to get pGina do what you want: http://www.pgina.org/
I know about pGina and have tried it. However my goal was to avoid
installing third party software on Windows workstations, and at the
same time to avoid the excessive complexity of Active Directory.
Kerberos at first seemed to be a good compromise.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Kerberos
mailing list