Logging on with cached key
Ravi Channavajhala
ravi.channavajhala at dciera.com
Thu Jun 4 03:10:27 EDT 2009
On Thu, Jun 4, 2009 at 12:09 PM, Nikolay Shopik <shopik at inblock.ru> wrote:
> On 04.06.2009 0:47, Ravi Channavajhala wrote:
>>
>> On Wed, Jun 3, 2009 at 11:09 PM, Nikolay Shopik<shopik at inblock.ru> wrote:
>>>
>>> Hello.
>>>
>>> I'm configuring Linux machines using W2003 as KDC, everything works fine
>>> for Debian SSH, and Ubuntu for X server with MIT kerberos.
>>>
>>> But I would like to give user ability to loggon into workstation if his
>>> key not yet expired and KDC not available for moment, is that possible?
>>
>> This is the reason why you have to maintain a backup KDC. If you have
>> a single point of failure and that's that. How valid a valid key is
>> really valid if KDC is not there to validate :-)
>>
>> Even if KDC is running and you have a valid key, kerberos session
>> tickets are not persistent across the logins.
>
> That's good point, I though about that just after I post this message! So
> another question can I use MIT kerberos as backup with W2003 KDC? Also how
> to deal with offline clients like notebooks, when they don't have connection
> at all?
>
Wouldn't it be nice if you can really make another server (Linux or
Unix) as a backup KDC? But in reality, this may or may not work (I
haven't tried this personally) but Microsoft Kerberos implementation
is different from stock MIT. Kerberos in Windows 2000 inserts the
SIDS in the TGT necessairly, although an optional field and the
encrypted TGT is stored in a user credential cache. There are
certainly interoperability issues you may run into. The point to
remember is Windows Kerberos implementation varies from MIT, for that
matter even on Solaris.
More information about the Kerberos
mailing list