Logging on with cached key

Nikolay Shopik shopik at inblock.ru
Thu Jun 4 03:15:13 EDT 2009


On 04.06.2009 11:10, Ravi Channavajhala wrote:
> Wouldn't it be nice if you can really make another server (Linux or
> Unix) as a backup KDC?  But in reality, this may or may not work (I
> haven't tried this personally) but Microsoft Kerberos implementation
> is different from stock MIT.  Kerberos in Windows 2000 inserts the
> SIDS in the TGT necessairly,  although an optional field and the
> encrypted TGT is stored in a user credential cache.  There are
> certainly interoperability issues you may run into.  The point to
> remember is Windows Kerberos implementation varies from MIT, for that
> matter even on Solaris.

Now I understand that, probably I should go with cross-realm trust, by 
making another KDC and configure trust with current W2003 KDC. This is 
much easier way than figure out how to make different kerberos 
implementation works altogether.

Any toughs how should offline clients handled? What best practices about 
that?



More information about the Kerberos mailing list