Kfw question

Jeffrey Altman jaltman at secure-endpoints.com
Thu Jun 13 09:02:34 EDT 2013


On 6/12/2013 1:21 PM, Matt Lists wrote:
> Hi... I'm hoping that questions about MIT Kerberos for Windows are
> on-topic here.  Apologies in advance if this is not the case.
> 
> We have a Samba 3 domain and also separate MIT Krb5 KDCs, where the
> principal names match the Samba userids.  On previous Windows XP
> machines with Kfw 3.x installed, Kfw would somehow automatically get a
> TGT from the KDC when the user logged into the samba domain via the
> Windows domain logon dialog.  I always assumed that Kfw somehow had
> access to the cleartext password entered by the user, but don't know if
> that's true.  (Was there some kind of Windows password cache, or
> something via the GINA API?)

There is a network provider dll and an explorer shell login/logout hook.

> Now on Windows 7, I can't seem to get Kfw 3 or 4 to behave the same way
> (still the same old Samba 3 domain).  I understand that Kfw 4 can import
> credentials from the Windows 7 LSA, but I don't think that will help me,
> as we are using old NTLM style authentication rather than AD style, and
> thus Windows has no tickets.

Microsoft removed the explorer shell login/logout hook in Vista.

> I've done a lot of searching to see how to get this to work, but have
> come up short.  Is it still possible to do this?  If so, any whacks with
> a cluebat would be greatly appreciated.

The functionality is gone.

Jeffrey Altman




More information about the Kerberos mailing list