Well said! -gil
-----Original Message----- From: Douglas E. Engert [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 9:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Using AD with Kerberos on UNIX There have been a number of questions about using AD, Kerberos and Unix. But many of the responses have been confusing because they have mixed up the concepts of authentication, authorization, and directory services. Kerberos is used for authentication. It does not do authorization, or directory services. Microsoft has added extensions to the protocol to carry authorization data in the Kerberos tickets. Kerberos on UNIX does use or understand these extensions today. In UNIX, the password file (or NIS) serves as the database for authentication, authorization and directory services. A user is authenticated if he can match the password in the password file, he is authorized to use the local system because he is listed in the password file, and the password file contains the location of the user's home directory. When Kerberos is uses with UNIX, only the authentication is done via Kerberos. The user still needs to be authorized, and the home directory still needs to be located. So in most situations, the password file or NIS still serves this functions. (There are ways to use AD for these too, but you must start with authentication.) Kerberos refers to users and services as principals in realms. For example, my principal could be [EMAIL PROTECTED] After authentication, the principal can be mapped to a local UNIX user. By default it would be assumed to be deengert but there are ways to map to other local unix users. The AD machines can act as Kerberos KDCs, where the AD domain name is the Kerberos realm name. We are currently running a mixed environment, where users are registered in the a Microsoft AD Domain. Unix servers, are registered in a Kerberos realm which is using the MIT code as the Kerberos KDCs. Cross realm trust has been established between these. This allows us to have single sign-on. A user with a AD account, can walk up to a UNIX workstation, and login to UNIX using his AD account. A user on a Windows machine who has logged in to the domain can use these tickets with SSH for example to login to a unix machine. If the SSH is configured correctly, it can use Kerberos to authenticate to the SSH daemon running on the unix machine. It can even delegate, or forward a Kerberos ticket to the unix machine. I normally use a W2K machine, where I login. I then use the SecureCRT SSH client to login to UNIX systems running OpenSSH. The SecureCRT authenticates using the stored Kerberos tickets obtained when I logged in to the PC. A ticket is forwarded to the UNIX system, to be used to do further authentication. The SSH daemon uses this ticket to authenticate to AFS for me, as my home directory is in AFS. So yes, you can use AD for authentication for UNIX. For more information, check out these references: MIT site: http://web.mit.edu/kerberos Also look for "Kerberos for Windows" "Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability" http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep. asp You must have this document. It is a litle out of date, but has the step by step directions. "Interoperability with Microsoft Windows 2000 Active Directory and Kerberos Services" On the MSDN Library CDs (It is listed as online as well, but the links are not correct.) Some other usefull tools for UNIX to interact with the AD. Other site, include the Hiemdal version of Kerberos: http://www.pdc.kth.se/heimdal/ The Kermit probram for windows which has Kerberos built in: http://www.columbia.edu/kermit/k95.html SecureCRT at http://www.vandyke.com. -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
