Kerberos Rant

[Tim Alsop]

Tom,

Yes, the PAC data is required for authorisation purposes.

Yes, there has been some work to make a replacement for Active Directory, that issues PAC data in tickets etc. This was developed by a company known as PADL (www.padl.com<http://www.padl.com>). They developed the product as open source and then sold it to Novell, and Novell have now added to their own product so that Novell Netware customers can use Windows clients to logon to Netware running on Linux. I am not aware of anybody else who has done the same, but we do plan to do it at some time in the future, as we feel there is a big market for Active Directory on UNIX or Linux.

Most people today use a KDC on UNIX and use ksetup on workstation, so that users password is maintained in the non AD kdc, but have AD for the computer account and PAC data.

Thanks,
Tim

From: Tom Medhurst [mailto:tom.medhurst at googlemail.com]
Sent: 07 April 2010 09:35
To: Tim Alsop
Cc: kerberos at mit.edu
Subject: Re: Kerberos Rant

Hi Tim,

No I wasn't aware of that.... That sucks!
I guess Kerberos is no good for what I need then. Damn.

Now the AD protocol is open; are there any plans to implement this into Kerberos so it can be used without AD?

I'm not sure I would need Kerberos if I had a AD running my domain.
Thanks,
Tom
On Wed, Apr 7, 2010 at 8:53 AM, Tim Alsop <Tim.Alsop at cybersafe.com<mailto:Tim.Alsop at cybersafe.com>> wrote:
Tom,
I hope you are aware of the PAC data in the Kerberos tickets issued by MS AD, and because of this requirement for Windows login, the Active Directory domain still needs to be involved, even if user is logging into Windows using a non Active Directory KDC (e.g. MIT on UNIX). Basically you just need to run ksetup on workstation to configure the non AD realm, then setup trust between AD and the non AD realm and you can login from Windows 7 clients.

Thanks,
Tim Alsop
CyberSafe

-----Original Message-----
From: kerberos-bounces at mit.edu<mailto:kerberos-bounces at mit.edu> [mailto:kerberos-bounces at mit.edu<mailto:kerberos-bounces at mit.edu>] On Behalf Of Tom Medhurst
Sent: 07 April 2010 08:45
To: kerberos at mit.edu<mailto:kerberos at mit.edu>
Subject: Kerberos Rant

Hi There,
I apologise in advance for the following rant, but I believe there are issues that need addressing...

I am completely unable to get Windows clients authenticating against Kerberos 5 server. I truly appreciate the assistance that Douglas has given me with that case, but we have been unsuccessful in getting it to work.

In-fact there are forum posts all over the web, full of people who are unable to get Windows clients authenticating against krb5, all that I have encountered have been left unanswered.

This message isn't directed in anyway towards Douglas (who says he has been using Active Directory for many years now, and no longer uses MIT Kerberos for authenticating Windows clients); but it is directed at the Project Managers (if there are any?) who have decided that Windows client authentication isn't a high enough priority to get working/documented (all documentation on your site mentions Windows 2000 and the instructions are no longer valid and things have changed in the last 11 years!!).

My complaint is the Kerberos project is all about a security protocol. One which can be used to replace the standard user authentication system of the OS. Now it doesn't matter how Unix-friendly a company is; at some point in time they will want/need to connect a Windows machine to their network (for arguments sake, say the bosses new girlfriend has a Windows laptop) and risk assessors will think of scenarios like this before using a technology.
If you can't cater for Windows' vast market share; you are no longer a viable option!!

The main reason for this rant is because I have seen the amazing code that you guys have poured into the project. Plus you've made is open source!
That's absolutely fantastic!! The problem is I have spent weeks trying to get this working, and now I basically have something that is worthless. The amount of time I've spent on this exceeds the cost of a *Winblows* Server OS which ships with Active Directory!

I dislike Windows probably more than the next Unix geek, and this is why I chose to write this email rather than just move on to the more obvious solution. I really want to use Kerberos as a homogeneous logon service for networks I provide to customers, but without Windows support I simply cannot and the cost of installing a system for a startup company rises enormously.

I am not going to consider Samba 4 as an alternative as it has been in beta for more than 3 years and is not yet fit for enterprise use. Kerberos is!
I plead with anyone who has had Windows 7 authenticating against an MIT Kerberos server to please assist me in getting it working. I'd be happy to contribute a large document to your web site explaining how we achieved the end goal (including caveats like DES being disabled by default in Windows 7<http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx<http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx>>)
so others can learn from our hard work.

If there isn't; I urge whoever steers the direction of this project to stop overlooking such a fundamental area.

It may currently work, but with support or documentation for Windows XP/7 clients, it may as well not work.

Please don't take this rant as a insult to all your hard work. I myself contribute/run many open source projects and understand the dilema of spending so much time on something which can't easy create a steady revenue.
I am hoping the tone of this email is just enough to warrant some attention by the appropriate parties and action to be taken.

Many thanks for your time,
Kind Regards
Tom Medhurst
________________________________________________
Kerberos mailing list           Kerberos at mit.edu<mailto:Kerberos at mit.edu>
https://mailman.mit.edu/mailman/listinfo/kerberos