Ido Levy wrote: > Hello All, > > I am planning to create trusted authorities between AD server and MIT based > kerberos server. > I would appreciate your advice/links on how it's possible to implement such > system, if it works properly and what is the known issues with such > implementation.
Yes it works. Just off the top of my head some issues: Start here: http://technet.microsoft.com/en-us/library/Bb742433.aspx AD 2003 and newer Kerberos can all do RC4, so you are not limited to DES. The Microsoft PAC in a ticket can make the ticket very large which might cause problems for some Unix applications see http://support.microsoft.com/kb/832572 AD has a password for an account, but an account can have multiple UPN and SPNs. (The key for the principal is derived by the KDC from the password.) So best to have each service principal have its own account. Adding accounts with SPNs to AD can be done with ktpass Goolge for msktutil that uses OpenLDAP and SASL/gssapi to update AD and krytab files. (Samba can do some of this too.) AD can do referrals, Kerberos still uses the krb5.conf [domain_realm] So AD clients may have problems finding services registed in a non AD realm. There is some way to use the Global Catalog to add the mapping. > > Thank you. > > Ido Levy > IBM Haifa Labs, Israel > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
