> Colin Simpson <[EMAIL PROTECTED]> wrote: > > I'm looking at finding a new solution to syncing password between AD > > and > > Kerberos. We had been using CEDAR for this and it's great but the > > passwdHK dll on windows hates it if you pass in 8 bit ascii passsword.
> AD already is Kerberos. Why don't you just use your Active Directory > controllers as the Kerberos KDCs as well? AD is approximately Kerberos. And there are myriad reasons, technical, politcal, organizational, and more, why an organization might not do so. In our case, we wrote our own code to do the sync process. For AD to MIT changes it is a DLL that hooks into the AD as the 'local password quality checking' DLL. On the MIT side it was the insertion of a small bit of code in about a half dozen places (princ create, update, delete, chpass, etc) into the server-side kadm library. If you check the archives of this group, I'm pretty sure I've posted the our server-side hooks (anyone who has added their own incremental-kprop between MIT KDCs is doing essentially the same thing). John ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
