Hi Tim, No I wasn't aware of that.... That sucks! I guess Kerberos is no good for what I need then. Damn.
Now the AD protocol is open; are there any plans to implement this into Kerberos so it can be used without AD? I'm not sure I would need Kerberos if I had a AD running my domain. Thanks, Tom On Wed, Apr 7, 2010 at 8:53 AM, Tim Alsop <[email protected]> wrote: > Tom, > I hope you are aware of the PAC data in the Kerberos tickets issued by MS > AD, and because of this requirement for Windows login, the Active Directory > domain still needs to be involved, even if user is logging into Windows > using a non Active Directory KDC (e.g. MIT on UNIX). Basically you just need > to run ksetup on workstation to configure the non AD realm, then setup trust > between AD and the non AD realm and you can login from Windows 7 clients. > > Thanks, > Tim Alsop > CyberSafe > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of Tom Medhurst > Sent: 07 April 2010 08:45 > To: [email protected] > Subject: Kerberos Rant > > Hi There, > I apologise in advance for the following rant, but I believe there are > issues that need addressing... > > I am completely unable to get Windows clients authenticating against > Kerberos 5 server. I truly appreciate the assistance that Douglas has given > me with that case, but we have been unsuccessful in getting it to work. > > In-fact there are forum posts all over the web, full of people who are > unable to get Windows clients authenticating against krb5, all that I have > encountered have been left unanswered. > > This message isn't directed in anyway towards Douglas (who says he has been > using Active Directory for many years now, and no longer uses MIT Kerberos > for authenticating Windows clients); but it is directed at the Project > Managers (if there are any?) who have decided that Windows client > authentication isn't a high enough priority to get working/documented (all > documentation on your site mentions Windows 2000 and the instructions are no > longer valid and things have changed in the last 11 years!!). > > My complaint is the Kerberos project is all about a security protocol. One > which can be used to replace the standard user authentication system of the > OS. Now it doesn't matter how Unix-friendly a company is; at some point in > time they will want/need to connect a Windows machine to their network (for > arguments sake, say the bosses new girlfriend has a Windows laptop) and risk > assessors will think of scenarios like this before using a technology. > If you can't cater for Windows' vast market share; you are no longer a > viable option!! > > The main reason for this rant is because I have seen the amazing code that > you guys have poured into the project. Plus you've made is open source! > That's absolutely fantastic!! The problem is I have spent weeks trying to > get this working, and now I basically have something that is worthless. The > amount of time I've spent on this exceeds the cost of a *Winblows* Server OS > which ships with Active Directory! > > I dislike Windows probably more than the next Unix geek, and this is why I > chose to write this email rather than just move on to the more obvious > solution. I really want to use Kerberos as a homogeneous logon service for > networks I provide to customers, but without Windows support I simply cannot > and the cost of installing a system for a startup company rises enormously. > > I am not going to consider Samba 4 as an alternative as it has been in beta > for more than 3 years and is not yet fit for enterprise use. Kerberos is! > > I plead with anyone who has had Windows 7 authenticating against an MIT > Kerberos server to please assist me in getting it working. I'd be happy to > contribute a large document to your web site explaining how we achieved the > end goal (including caveats like DES being disabled by default in Windows 7< > http://technet.microsoft.com/en-us/library/dd560670(WS.10).aspx<http://technet.microsoft.com/en-us/library/dd560670%28WS.10%29.aspx> > >) > so others can learn from our hard work. > > If there isn't; I urge whoever steers the direction of this project to stop > overlooking such a fundamental area. > > It may currently work, but with support or documentation for Windows XP/7 > clients, it may as well not work. > > Please don't take this rant as a insult to all your hard work. I myself > contribute/run many open source projects and understand the dilema of > spending so much time on something which can't easy create a steady revenue. > I am hoping the tone of this email is just enough to warrant some attention > by the appropriate parties and action to be taken. > > Many thanks for your time, > Kind Regards > Tom Medhurst > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
