Part of our migration from NT to active directory involves cloning NT user accounts to initialize the AD account (including the password). This allows a user to log in to XP (a member of an AD domain) using the cloned password, at least initially.
It's not clear whether the cloning mechanism allows us to participate in K5 based authentication or if it's still NTLM. Nonetheless, from UNIX (MIT kerberos clients), when trying to obtain a TGT using the cloned account - the following error is produced: > $ kinit [EMAIL PROTECTED] > Password for [EMAIL PROTECTED]: > kinit(v5): KDC has no support for encryption type while getting initial credentials However, once I change my AD password, the MIT kinit can obtain tickets from the AD KDC. This is presumably because the NTLM hash of the user's password (now held in AD, cloned from the NT account) does not produce a DES key can be used with the MIT supported enctypes. Cloning accounts/passwords in bulk is potentially a challenge. My recommendation right now (to our PC engineering/deployment folks) would be to expire passwords as part of the cloning process, such that a password change is required on initial login to XP/AD. The password changes then enables users to obtain tickets from an AD KDC using UNIX/MIT clients. However, not everyone has a Windows based desktop, so the initial password change is becomes inpractical for some class of users. I'm wondering if anyone has or plans to implement an enc-type, on the [MIT] client side, that supports the NTLM hashed password/key, or whether there are any technical reasons that simply would not work. ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
