Kerberos Rant

Tom Medhurst tom.medhurst at googlemail.com
Wed Apr 7 04:34:53 EDT 2010 

Hi Tim,

No I wasn't aware of that.... That sucks!
I guess Kerberos is no good for what I need then. Damn.

Now the AD protocol is open; are there any plans to implement this into
Kerberos so it can be used without AD?

I'm not sure I would need Kerberos if I had a AD running my domain.
Thanks,
Tom

On Wed, Apr 7, 2010 at 8:53 AM, Tim Alsop <Tim.Alsop at cybersafe.com> wrote:

> Tom,
> I hope you are aware of the PAC data in the Kerberos tickets issued by MS
> AD, and because of this requirement for Windows login, the Active Directory
> domain still needs to be involved, even if user is logging into Windows
> using a non Active Directory KDC (e.g. MIT on UNIX). Basically you just need
> to run ksetup on workstation to configure the non AD realm, then setup trust
> between AD and the non AD realm and you can login from Windows 7 clients.
>
> Thanks,
> Tim Alsop
> CyberSafe
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
> Of Tom Medhurst
> Sent: 07 April 2010 08:45
> To: kerberos at mit.edu
> Subject: Kerberos Rant
>
> Hi There,
> I apologise in advance for the following rant, but I believe there are
> issues that need addressing...
>
> I am completely unable to get Windows clients authenticating against
> Kerberos 5 server. I truly appreciate the assistance that Douglas has given
> me with that case, but we have been unsuccessful in getting it to work.
>
> In-fact there are forum posts all over the web, full of people who are
> unable to get Windows clients authenticating against krb5, all that I have
> encountered have been left unanswered.
>
> This message isn't directed in anyway towards Douglas (who says he has been
> using Active Directory for many years now, and no longer uses MIT Kerberos
> for authenticating Windows clients); but it is directed at the Project
> Managers (if there are any?) who have decided that Windows client
> authentication isn't a high enough priority to get working/documented (all
> documentation on your site mentions Windows 2000 and the instructions are no
> longer valid and things have changed in the last 11 years!!).
>
> My complaint is the Kerberos project is all about a security protocol. One
> which can be used to replace the standard user authentication system of the
> OS. Now it doesn't matter how Unix-friendly a company is; at some point in
> time they will want/need to connect a Windows machine to their network (for
> arguments sake, say the bosses new girlfriend has a Windows laptop) and risk
> assessors will think of scenarios like this before using a technology.
> If you can't cater for Windows' vast market share; you are no longer a
> viable option!!
>
> The main reason for this rant is because I have seen the amazing code that
> you guys have poured into the project. Plus you've made is open source!
> That's absolutely fantastic!! The problem is I have spent weeks trying to
> get this working, and now I basically have something that is worthless. The
> amount of time I've spent on this exceeds the cost of a *Winblows* Server OS
> which ships with Active Directory!
>
> I dislike Windows probably more than the next Unix geek, and this is why I
> chose to write this email rather than just move on to the more obvious
> solution. I really want to use Kerberos as a homogeneous logon service for
> networks I provide to customers, but without Windows support I simply cannot
> and the cost of installing a system for a startup company rises enormously.
>
> I am not going to consider Samba 4 as an alternative as it has been in beta
> for more than 3 years and is not yet fit for enterprise use. Kerberos is!
>
> I plead with anyone who has had Windows 7 authenticating against an MIT
> Kerberos server to please assist me in getting it working. I'd be happy to
> contribute a large document to your web site explaining how we achieved the
> end goal (including caveats like DES being disabled by default in Windows 7<
> http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx<http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx>
> >)
> so others can learn from our hard work.
>
> If there isn't; I urge whoever steers the direction of this project to stop
> overlooking such a fundamental area.
>
> It may currently work, but with support or documentation for Windows XP/7
> clients, it may as well not work.
>
> Please don't take this rant as a insult to all your hard work. I myself
> contribute/run many open source projects and understand the dilema of
> spending so much time on something which can't easy create a steady revenue.
> I am hoping the tone of this email is just enough to warrant some attention
> by the appropriate parties and action to be taken.
>
> Many thanks for your time,
> Kind Regards
> Tom Medhurst
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list