No, there was an incorrect statement. If you want a Win2k Domain, you have to run a Win2k Active Directory server. You do have to set passwords on each of the user accounts in the AD server. However, you don't have to syncronize the passwords between a Kerberos realm and the AD server to get most functionality.
At MIT we have set all of the user passwords to be a random 128 characters for each AD account. There is an account mapping from the UNIX realm to the AD accounts. Initial authentication is done against the UNIX realm. This works well except in the case of Exchange. Exchange doesn't support Kerberos, it is always using NTLM. If the users don't know their native Windows password they won't be able to use Exchange. A similar problem exists for the Microsoft Macintosh File and Print Services. Paul -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Derek Yarnell Sent: Monday, June 10, 2002 5:10 PM To: [EMAIL PROTECTED] Subject: Re: interoperability Win2k/Linux > > - The long and short of it, is that if you want to support W2k > services, you HAVE to run a W2k Active Directory server. You don't > have to keep user passwords in it, but you have to run it. > So wait you are saying there is a way to pass through the krb5 auth to a MIT kdc? How can I do this, while running W2K Active Directory for things like exchange... etc.. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
