Kerberos Rant

[Tom Medhurst]

Tim,
Ah yes Open Enterprise Server... not so *open *though! :(

I agree there is a *huge* market for AD services for Linux, it's a shame
Samba haven't been a little quicker getting version 4 out the door (it's
been in alpha for many years).

I look forward to seeing some inclusion of this in the future.

Many Thanks for your time!

On Wed, Apr 7, 2010 at 9:47 AM, Tim Alsop <Tim.Alsop at cybersafe.com> wrote:

>  Tom,
>
>
>
> Yes, the PAC data is required for authorisation purposes.
>
>
>
> Yes, there has been some work to make a replacement for Active Directory,
> that issues PAC data in tickets etc. This was developed by a company known
> as PADL (www.padl.com). They developed the product as open source and then
> sold it to Novell, and Novell have now added to their own product so that
> Novell Netware customers can use Windows clients to logon to Netware running
> on Linux. I am not aware of anybody else who has done the same, but we do
> plan to do it at some time in the future, as we feel there is a big market
> for Active Directory on UNIX or Linux.
>
>
>
> Most people today use a KDC on UNIX and use ksetup on workstation, so that
> users password is maintained in the non AD kdc, but have AD for the computer
> account and PAC data.
>
>
>
> Thanks,
>
> Tim
>
>
>
> *From:* Tom Medhurst [mailto:tom.medhurst at googlemail.com]
> *Sent:* 07 April 2010 09:35
> *To:* Tim Alsop
> *Cc:* kerberos at mit.edu
> *Subject:* Re: Kerberos Rant
>
>
>
> Hi Tim,
>
> No I wasn't aware of that.... That sucks!
> I guess Kerberos is no good for what I need then. Damn.
>
> Now the AD protocol is open; are there any plans to implement this into
> Kerberos so it can be used without AD?
>
> I'm not sure I would need Kerberos if I had a AD running my domain.
> Thanks,
> Tom
>
> On Wed, Apr 7, 2010 at 8:53 AM, Tim Alsop <Tim.Alsop at cybersafe.com> wrote:
>
> Tom,
> I hope you are aware of the PAC data in the Kerberos tickets issued by MS
> AD, and because of this requirement for Windows login, the Active Directory
> domain still needs to be involved, even if user is logging into Windows
> using a non Active Directory KDC (e.g. MIT on UNIX). Basically you just need
> to run ksetup on workstation to configure the non AD realm, then setup trust
> between AD and the non AD realm and you can login from Windows 7 clients.
>
> Thanks,
> Tim Alsop
> CyberSafe
>
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf
> Of Tom Medhurst
> Sent: 07 April 2010 08:45
> To: kerberos at mit.edu
> Subject: Kerberos Rant
>
> Hi There,
> I apologise in advance for the following rant, but I believe there are
> issues that need addressing...
>
> I am completely unable to get Windows clients authenticating against
> Kerberos 5 server. I truly appreciate the assistance that Douglas has given
> me with that case, but we have been unsuccessful in getting it to work.
>
> In-fact there are forum posts all over the web, full of people who are
> unable to get Windows clients authenticating against krb5, all that I have
> encountered have been left unanswered.
>
> This message isn't directed in anyway towards Douglas (who says he has been
> using Active Directory for many years now, and no longer uses MIT Kerberos
> for authenticating Windows clients); but it is directed at the Project
> Managers (if there are any?) who have decided that Windows client
> authentication isn't a high enough priority to get working/documented (all
> documentation on your site mentions Windows 2000 and the instructions are no
> longer valid and things have changed in the last 11 years!!).
>
> My complaint is the Kerberos project is all about a security protocol. One
> which can be used to replace the standard user authentication system of the
> OS. Now it doesn't matter how Unix-friendly a company is; at some point in
> time they will want/need to connect a Windows machine to their network (for
> arguments sake, say the bosses new girlfriend has a Windows laptop) and risk
> assessors will think of scenarios like this before using a technology.
> If you can't cater for Windows' vast market share; you are no longer a
> viable option!!
>
> The main reason for this rant is because I have seen the amazing code that
> you guys have poured into the project. Plus you've made is open source!
> That's absolutely fantastic!! The problem is I have spent weeks trying to
> get this working, and now I basically have something that is worthless. The
> amount of time I've spent on this exceeds the cost of a *Winblows* Server OS
> which ships with Active Directory!
>
> I dislike Windows probably more than the next Unix geek, and this is why I
> chose to write this email rather than just move on to the more obvious
> solution. I really want to use Kerberos as a homogeneous logon service for
> networks I provide to customers, but without Windows support I simply cannot
> and the cost of installing a system for a startup company rises enormously.
>
> I am not going to consider Samba 4 as an alternative as it has been in beta
> for more than 3 years and is not yet fit for enterprise use. Kerberos is!
>
> I plead with anyone who has had Windows 7 authenticating against an MIT
> Kerberos server to please assist me in getting it working. I'd be happy to
> contribute a large document to your web site explaining how we achieved the
> end goal (including caveats like DES being disabled by default in Windows 7<
> http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx<http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx>
> >)
>
> so others can learn from our hard work.
>
> If there isn't; I urge whoever steers the direction of this project to stop
> overlooking such a fundamental area.
>
> It may currently work, but with support or documentation for Windows XP/7
> clients, it may as well not work.
>
> Please don't take this rant as a insult to all your hard work. I myself
> contribute/run many open source projects and understand the dilema of
> spending so much time on something which can't easy create a steady revenue.
> I am hoping the tone of this email is just enough to warrant some attention
> by the appropriate parties and action to be taken.
>
> Many thanks for your time,
> Kind Regards
> Tom Medhurst
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>