<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtec
hnol/windows2000serv/maintain/featusability/kerbinop.asp>
Once that is done, you can log in as [EMAIL PROTECTED] If that succeeds, you will have a Kerberos TGT for the MIT-based realm, but in Microsoft's ticket cache. At that point, you run ms2mit.exe to copy the TGT to the MIT ticket cache, then run aklog. So, you'll need a login script that looks like:
ms2mit
(krb524init)
aklog cell1
aklog cell2
...
I am not sure if that works for XP machines in NT4 domains. Either way, in my experience, standalone Win2k machines will not do principal->account mappings.
Another route is to write a network provider Dll (perhaps a modified AFSLogon.dll) to capture the user's password and do "something" with it. That "something" is complicated by the fact that the network provider Dll runs as LocalSystem in the same Window Station as the Gina (login screen), so authenticating right then and there will get you tickets and tokens in the wrong place.
If all you want is AFS tokens, the Network Provider can get a TGT and aklog right then and there, using a special parameter in the AFS token interface to
send the tokens to the write account. This would amount to modifying a function or two within AFSLogin.dll - you would need to change the kaserver init to a Kerberos 5 init, paste the krb524 code from aklog, and fill in the smbname field in the ktc_principal structure when calling ktc_SetToken so that the token ends up associated with the correct user.
If you want full MIT TGT's you'd need to do something weird to get either the user's password or marshalled TGT's into the user's session. This would be hard.
Thanks, Ben Creech NCSU ITECS
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
