> >Is anyone aware of any product that can sync passwordsbetween an MIT >Kerberos KDC and MS Active Directory?
Alf Wachsmann at SLAC is doing this with Heimdal.
Personally I'd rather only have the passwords (keys actually) stored in one of the two, and I'd rather it wasn't the commercial product. Institutional requirements differ though. -- The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. [EMAIL PROTECTED], or [EMAIL PROTECTED]
I agree completely. We want to move away from AD and over to Kerb. But the password syncing was a compromise between us (the Unix guys) and Windows guys. We plan to do it on a non-permanent basis as a way of (a) migrating passwords from Windows to Kerb by trapping password change events over the next 3 or 4 months and (b) continuing to allow non-Kerb (NTLM only) apps to still login with the same "one username/one password."
If either of you can help me out, I'd be greatful.
For short-term help you need to talk to Alf. In addition to the documented hook, which let's you check/veto passwords, you need a second one where you record acceptable changes. Alf did a patch for the second and I believe he has working code to actually implement the synchronization.
I hope he doesn't mind my advertising what he's done.
For more on my own ideas see the "Kerberos Feature Request" thread I started on kerbdev and the Heimdal list about a month ago.
--
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[EMAIL PROTECTED], or [EMAIL PROTECTED]
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
