Kerberos Rant

Tom Medhurst tom.medhurst at googlemail.com
Wed Apr 7 03:45:18 EDT 2010


Hi There,
I apologise in advance for the following rant, but I believe there are
issues that need addressing...

I am completely unable to get Windows clients authenticating against
Kerberos 5 server. I truly appreciate the assistance that Douglas has given
me with that case, but we have been unsuccessful in getting it to work.

In-fact there are forum posts all over the web, full of people who are
unable to get Windows clients authenticating against krb5, all that I have
encountered have been left unanswered.

This message isn't directed in anyway towards Douglas (who says he has been
using Active Directory for many years now, and no longer uses MIT Kerberos
for authenticating Windows clients); but it is directed at the Project
Managers (if there are any?) who have decided that Windows client
authentication isn't a high enough priority to get working/documented (all
documentation on your site mentions Windows 2000 and the instructions are no
longer valid and things have changed in the last 11 years!!).

My complaint is the Kerberos project is all about a security protocol. One
which can be used to replace the standard user authentication system of the
OS. Now it doesn't matter how Unix-friendly a company is; at some point in
time they will want/need to connect a Windows machine to their network (for
arguments sake, say the bosses new girlfriend has a Windows laptop) and
risk assessors will think of scenarios like this before using a technology.
If you can't cater for Windows' vast market share; you are no longer a
viable option!!

The main reason for this rant is because I have seen the amazing code that
you guys have poured into the project. Plus you've made is open source!
That's absolutely fantastic!! The problem is I have spent weeks trying to
get this working, and now I basically have something that is worthless. The
amount of time I've spent on this exceeds the cost of a *Winblows* Server OS
which ships with Active Directory!

I dislike Windows probably more than the next Unix geek, and this is why I
chose to write this email rather than just move on to the more obvious
solution. I really want to use Kerberos as a homogeneous logon service for
networks I provide to customers, but without Windows support I simply cannot
and the cost of installing a system for a startup company rises enormously.

I am not going to consider Samba 4 as an alternative as it has been in beta
for more than 3 years and is not yet fit for enterprise use. Kerberos is!

I plead with anyone who has had Windows 7 authenticating against an MIT
Kerberos server to please assist me in getting it working. I'd be happy to
contribute a large document to your web site explaining how we achieved the
end goal (including caveats like DES being disabled by default in
Windows 7<http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx>)
so others can learn from our hard work.

If there isn't; I urge whoever steers the direction of this project to stop
overlooking such a fundamental area.

It may currently work, but with support or documentation for Windows XP/7
clients, it may as well not work.

Please don't take this rant as a insult to all your hard work. I myself
contribute/run many open source projects and understand the dilema of
spending so much time on something which can't easy create a steady revenue.
I am hoping the tone of this email is just enough to warrant some attention
by the appropriate parties and action to be taken.

Many thanks for your time,
Kind Regards
Tom Medhurst



More information about the Kerberos mailing list