Does the KDC provided by MicroSoft AD server work well with client API provided by MIT?
Jeff White
jaw171 at pitt.edu
Wed Dec 26 16:38:26 EST 2012
On 12/26/2012 03:00 PM, Elia Pinto wrote:
> Samba could create keytab, service principal on windows ad
>
> best
>
> 2012/12/26, Russ Allbery <rra at stanford.edu>:
>> shuaijie wang <wangshuaijie at gmail.com> writes:
>>
>>> Currently I have this requirements:
>>> 1. We use Microsoft Active Directory.
>>> 2. We have some client programs that build on top of krb5 libs provided
>>> by
>>> MIT.
>>> I want to ask if these client programs can work well with KDC server
>>> bundled with AD(That is, if these clients can apply TGT, renew TGT, run
>>> ktadd.... as if it is talking with MIT KDC server)?
>> All the normal Kerberos protocol operations will work fine. kpasswd
>> should also work fine. Nothing related to the kadmin protocol (in other
>> words, anything that you would run the kadmin client to do) will work.
>> You'll need to use other tools (either Microsoft's native tools or
>> third-party tools for UNIX that work with AD) to do things like create
>> keytabs.
>>
>> --
>> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
Some applications have issues dealing with Microsoft's PAG they throw
into tickets though you can disable PAG on a per-user basis. We did that
for OpenAFS and Cyrus IMAP's service principals due to problems we were
having.
More information about the Kerberos
mailing list