Logging on with cached ticket
Nikolay Shopik
shopik at inblock.ru
Fri Jun 5 01:03:50 EDT 2009
On 04.06.2009 11:15, Nikolay Shopik wrote:
> On 04.06.2009 11:10, Ravi Channavajhala wrote:
>> Wouldn't it be nice if you can really make another server (Linux or
>> Unix) as a backup KDC? But in reality, this may or may not work (I
>> haven't tried this personally) but Microsoft Kerberos implementation
>> is different from stock MIT. Kerberos in Windows 2000 inserts the
>> SIDS in the TGT necessairly, although an optional field and the
>> encrypted TGT is stored in a user credential cache. There are
>> certainly interoperability issues you may run into. The point to
>> remember is Windows Kerberos implementation varies from MIT, for that
>> matter even on Solaris.
>
> Now I understand that, probably I should go with cross-realm trust, by
> making another KDC and configure trust with current W2003 KDC. This is
> much easier way than figure out how to make different kerberos
> implementation works altogether.
>
> Any toughs how should offline clients handled? What best practices about
> that?
Only thing I found is pam_krb5 which have existing_ticket option. (tells
pam_krb5.so to accept the presence of pre-existing Kerberos credentials
provided by the calling application in the default credential cache as
sufficient to authenticate the user, and to skip any account management
checks). While this available only in Red Hat from what I see but not in
Debian/Ubuntu.
Me wonder how Windows implementation is done, when it allowed login even
when KDC is not available. I doubt if it use existing ticked, because it
expired just in 24 hours and you can still login.
More information about the Kerberos
mailing list