On Thu, 2004-04-29 at 01:08, Oron Peled wrote: > On Thursday 29 April 2004 01:00, Yonah Russ wrote: > > Active directories is very heavy on kerberos- it's theoretically > > possible to use the same kerberos for both the active directory and > > linux- I've read you can even convince active directories to use a linux > > kerberos server. > > I would be very cautios about this. Take a look at: > http://www.usenix.org/publications/login/1997-11/embraces.html
The only difference is that the "application-specific data" field in Kerberos ticket contains SIDs (security identifiers) of the groups the user is member of. As non-Microsoft clients do not need this field, and this does not break the authentication process, I would personally say that the claims are not based. More then that, the PAC (privileged access certificate - the "application-specific" field in Kerberos ticket) has been published long ago: http://www.microsoft.com/Downloads/details.aspx?displaylang=en&FamilyID=BF61D972-5086-49FB-A79C-53A5FD27A092 (link may wrap) > > As usual, MS "extended" the protocol with some undocumented credential > information specific to Windows. They also chose to do it in a brutal way > by using fields marked in the RFC as "unused". As I said: MS uses the RFC defined "application-specific" field. You can bash about it's implementation, but it's not an RFC violation. > Now, there is some interoperability: > http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp > > But while it looks obvious that Unix/Linux machines would authenticate against > a W2K kdc, I'm not sure if a Win* client that authenticate against a nominal > MIT kdc, get all the features (I'm not very fluent in MS-speak :-), or maybe > it is only authorized for a "compatibility mode" subset of features (which is > what I would expect MS to implement). <MS-slang buzz> Depends. MS Kerberos is not multi-part. You can not have Kerberos principals in form of moshe/[EMAIL PROTECTED] - you need to explicitly do some mappings to have multi-part entries. Yet, there are more then enough places in the work (usually universities) that do MIT Kerberos authentication for AD clients without breaking anything. Of course, in the case of MIT KerbV, there are limitations to what AD can provide you, as in any case when you try to break apart a bundle of tightly working services. AD was not built with external services doing it's own job in mind, yet it can provide compliant services to non-MS clients. BTW, watch out: by default Kerberos TGT lifetime in AD is 8 or 10 hours (W2K or W2K3). After that you need to kinit to renew the ticket or you can use winbind from Samba3, which will do the work for you (never tested that, but saw it mentioned). </MS-lang buzz> Guy -- Smith & Wesson - the original point and click interface ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
