Kfw question
Jeffrey Altman
jaltman at secure-endpoints.com
Thu Jun 13 09:02:34 EDT 2013
On 6/12/2013 1:21 PM, Matt Lists wrote:
> Hi... I'm hoping that questions about MIT Kerberos for Windows are
> on-topic here. Apologies in advance if this is not the case.
>
> We have a Samba 3 domain and also separate MIT Krb5 KDCs, where the
> principal names match the Samba userids. On previous Windows XP
> machines with Kfw 3.x installed, Kfw would somehow automatically get a
> TGT from the KDC when the user logged into the samba domain via the
> Windows domain logon dialog. I always assumed that Kfw somehow had
> access to the cleartext password entered by the user, but don't know if
> that's true. (Was there some kind of Windows password cache, or
> something via the GINA API?)
There is a network provider dll and an explorer shell login/logout hook.
> Now on Windows 7, I can't seem to get Kfw 3 or 4 to behave the same way
> (still the same old Samba 3 domain). I understand that Kfw 4 can import
> credentials from the Windows 7 LSA, but I don't think that will help me,
> as we are using old NTLM style authentication rather than AD style, and
> thus Windows has no tickets.
Microsoft removed the explorer shell login/logout hook in Vista.
> I've done a lot of searching to see how to get this to work, but have
> come up short. Is it still possible to do this? If so, any whacks with
> a cluebat would be greatly appreciated.
The functionality is gone.
Jeffrey Altman
More information about the Kerberos
mailing list