On Sat, 05 Oct 2002 18:26:08 +0000, Sam Hartman wrote: > I am fairly sure you're misusing the term active directory here. It's > certainly true that you're using an extra DLL or two, and you need to > have a krb5.ini, but you can use your Windows credentials and Windows KDCs.
I've had an implementation that did this for some time... nobody uses it, bbasically because nobody knows how to setup the krb5.ini and the whole ktpass/export key thing is a pain. With a pure SSPI implementation it all 'just works' provided you're connecting to the local domain (The MS Kerberos implementation has no equivalent of 'kinit' so you'd have to use MIT for remote connections anyway). > Any export/license issues you'd have with the MIT codebase (and while > they do exist for comercial software, they do not seem prohibitive) > will also exist with Heimdal. They don't, because heimdal isn't written in the US, so I don't have to go near a US server to get it. If a US citizen wants to then download it it's between them and their legal system, and not my problem (I do warn people to check with their lawyers if they're unsure, though). Similarly, with the MIT tarball, I grab it from the UK debian mirror as a .deb and extract it. The export was not done by me & I haven't broken any laws by downloading it. However KFW is only available from MIT, and the only way to get it is to bypass their 'are you in the US' checking. This makes it damned hard to distribute, because I have to break some law or other to download it. > > ftp://ftp.sap.de/pub/ietf-work/ > Ahh OK. It doesn't solve the server side, which is the bit of my implementation that doesn't work properly also... The problem is that the MS Kerberos doesn't have any equivalent of a keytab, and service principals are a hack (ie. it doesn't really support them it aliases an active username onto it). You need the plaintext password of the user you've aliased the principal onto to create the correct security context, which is a bit of a security problem (if the server is compromised locally the attacker then has a valid login to the domain). Tony ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
