Connecting Windows 2003 to separate MIT Kerberos Server?

Douglas E. Engert deengert at anl.gov
Fri Oct 16 11:20:42 EDT 2009 


Tomas Gustavsson wrote:
> Hi!
> 
> My name is Tomas and I'm trying to set up MIT Kerberos on a Linux server and
> I would like Microsoft Windows 2003 Server (and all clients connected to it)
> to my "Linux Kerberos" instead of the native one in Windows. Maybe I have
> misunderstood some parts here and there and I'm a beginners when it comes to
> Kerberos (started reading about it a couple of days ago) but I have chosen
> this as my final project,  I'm studying to become a (junior) Linux
> administrator.

Sound more like a master level project to me :-)

> I have Googled and looked into some documents but I can find
> anything useful that helps me do what I want. So if you can tell me if it's
> possible to make Windows 2003 Server to use an separate MIT Kerberos server
> and how it's done then I would be very happy.
> 

Short answer, Windows expects Kerberos tickets to have a PAC which has authorization
data with SUID and Group membership stuff maintained by Windows Active Directory.
This is carried by an extension to the Kerberos protocol. The PAC is added by Windows AD.

So you need either:
   (1) Cross realm between a kerberos realm and AD domain where you authenticate to
       Kerberos, and the cross realm TGT will get a PAC. Start here as this might
       give you other ideas too. Its old but short and most of it still applies.

       http://technet.microsoft.com/en-us/library/bb742433.aspx

   (2) Use Kerberos server which can add the PAC. But it then needs the Authorization
       database too. Have you looked at Samba yet?

> 
> P.S I'm only having a couple of days to complete the project so time is of
> the essence. D.S

Good luck...

> 
> Thank you.
> 
> Best regards
> /Tomas Gustavsson
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list