[EMAIL PROTECTED] wrote:
You can't. Microsoft have proprietary extentions to Kerberos/LDAP etc
that means its impossible to get a Microsoft product using a non-M$ KDC
in the manner you (everyone) would like.
There are some pretty horrible crappy ways of making a Windows
workstation speak to a Non-M$ KDC but it's rubbish - basically involves
setting up local accounts on your workstation and then mapping those
local accounts onto kerberos principals in your non-M$ KDC. This might
be OK as a silly toy exercise or as a vague justification for claiming
your (M$) product is actually Kerberos compliant but if you've got any
reasonable number of workstations (i.e. more than one) then it's a
pain. There's an article in Techweb somewhere on the M$ website that
explains how to do it - although I don't think the instructions they
give actually work....
Heh I cut this... but a lot of what you were saying while somewhat
correct was misleading. Active Directory can work fine in a Unix
environment. A lot of folks do it. I do. In fact setting up Active
directory to authenticate off kerb5 and hand out kerb5 tgts. Same goes
for sub services... you can totally use bind9 in tandem with active
directory.
The sketchy area is a unified directory service. Maybe someone else has
better info than I. We currently maintain both Active directory and an
openldap server in our environment. I'd be interested in hearing what
others have done to unify their directory services between windows and
unix environments.
But as far as synchronizing unix and windows authentication... kerberos
works dandy in both areas. =D
Being able to do GSSAPI-wit-mit authentication to servers with my active
directory given MIT tgts... is just plain cool.
--
Best regards,
Matthew Joyce System Administrator
Tel: 212.871.1747 x329 Visual Trading Systems, LLC
Mobile: 917.596.9619 [EMAIL PROTECTED]
The information contained in this E-mail message is privileged,
confidential, and maybe protected from disclosure; please be aware that
any other use, printing, copying, disclosure or dissemination of this
communication maybe subject to legal restrictions or sanctions. If you
think that you received this E-mail message in error, please reply to
the sender.
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
