Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Kerberos v5

35 views

Skip to first unread message

Sacha_M...@appliedcard.com

unread,

May 18, 2006, 4:53:44 PM5/18/06

We are planning to transition our enterprise to a scenario where all
platforms will authenticate to Active Directory via Kerberos. MIT
Kerberos v5 Rel. 1.4.3 appears to be the candidate to facilitate
authentication from our Unix, Linux/Fedora platforms.

We are also interested in authenticating our OS/400 platform. I curious
to know if there is a distribution of Kerberos supported by the OS/400.

Thank you,
________________________________________________
Kerberos mailing list Kerb...@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Richard E. Silverman

unread,

May 19, 2006, 9:38:42 PM5/19/06

>>>>> "SM" == Sacha Mirambeau <Sacha_M...@appliedcard.com> writes:

SM> We are planning to transition our enterprise to a scenario where
SM> all platforms will authenticate to Active Directory via Kerberos.
SM> MIT Kerberos v5 Rel. 1.4.3 appears to be the candidate to
SM> facilitate authentication from our Unix, Linux/Fedora platforms.

Your Unix users can authenticate directly to AD; there is no need for a
separate realm for that. Running kerberized services (or password
verification) on Unix requires putting those service principals in AD,
i.e. creating AD accounts for those machines with the needed principals.
You can create a separate realm for the Unix machines with realm trust to
the AD realm in place, but with this problem: the Windows machines will
not recognize that the Unix machines are in the other realm. This is
because Windows does not use the traditional mechanisms to determine the
realm of a host, i.e. DNS or static configuration. Instead, Windows
clients rely on referrals from their local domain controllers, and the
DC's only refer to realms associated with other AD domains in their
forest. I have been trying to find a way now for a month or so, to cajole
Windows into issuing referrals to external realms, without success. I've
tried several different approaches, and I have a case open with Microsoft
support on it right now.

The problem can be elegantly solved by changing the Windows clients logon
realm to a Unix one, with trust in place to the AD realm for obtaining
Windows service tickets with the PAC, but this is probably too big a
change for us to deploy.

Irritatingly, Microsoft supports static configuration on 2003 server,
which is what our DC's run -- but only for Kerberos clients; the KDC does
not consult it. They are not willing to make that change, nor to port the
static configuration feature to XP, which our desktops run.

Another route is avoiding SSPI altogether, using the KfW GSSAPI library
instead. Several important Windows clients support this, including
Firefox (1.5), some forks of PuTTY, and VanDyke SSH. But of course IE
doesn't, and you never know when you'll want to use something else that
doesn't.

I'm not out of ideas yet, though, and if I find a solution I will post
here. I did post about this here sometime back, but got no response.

--
Richard Silverman
r...@qoxp.net

0 new messages