On Thu, 10 Feb 2005 23:20:37 -0500, Fredrik Tolf wrote: > I have to admit that I don't know a lot about Windows and Kerberos. > However, as I've understood it, the only thing that really prevents you > from using a MIT KDC for Windows clients is the authorization data they > ship in the ticket, right? And this is called "PAC", right?
The necessary information about the PAC structure is freely available on MS' website [1] (and contrary to popular belief the use of the authorization-data field is as designed and not a case of "embrace and extend"). The problem is what is *in* the PAC. It contains the principal's group membership list which is required to create the "token" used by Windows clients to make access control decisions. Group information in a MS forest is stored in Active Directory, on each domain controller, and depending on the group type, may be replicated between AD and domain controllers (AD and MS Kerberos are very tightly coupled). The groups for a particular authentication are expanded as the client traverses the trust to the target [2]. So to use an alternate Kerberos implementation you would need to implement a variety of MS specific communication [2] to properly and efficiently produce the necessary group SIDs to construct the PAC. The closest thing that comes to this is probably XAD [4] which is an amalgamation of Samba, OpenLDAP, MIT Kerberos, and proprietary stuff but I have no idea how well it works as I have never used it. Mike [1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/msdn_pac.asp [2] http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAGroup.html [3] I have recently writen an Open Source MIDL compatible IDL compiler that could be used to generate the necessary DCE RPC proxies for much of this communication. It can be located at http://jcifs.sam ba.org/src/midlc-<version>.tar.gz [4] http://www.padl.com/Products/XAD.html -- IRC - where men are men, women are men, and the boys are FBI agents. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
