[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using active directory keys





Dave Love wrote:
> "Douglas E. Engert" <deengert@anl.gov> writes:
> 
> 
>>But if the user principals are registered in a Hiemdal realm, with
>>cross realm trust to the AD domain, AD can accept this. This does require
>>an AD account for the user but no password for AD.
> 
> 
> Sure.  The issue is AD accounts that aren't in the Heimdal realm
> currently.  They can't participate in SSO to the rest of the world
> without admin setting their passwords.  (Or am I being stupid?)

You migtht be missing something here. You can do SSO to the rest of the
world using your AD principals. You can either have your unix services registered
in AD, or can do cross realm to some Kerberos realm that has the unix services.
I do this every day. My user principal in in AD. I can us it to logon to Windows
or to logon to Solaris at the console. Then use ssh with gssapi to get to some other
machine. I can get AFS tokens too. AN AD can act as a KDC, and you can setup
cross realm trust with straight Kerberos realms to work in both directions.

http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
is a good place to start.

> 
> I think Luke's suggestion is what I want, once I find out how to load
> the keys into Heimdal.  If there's no info around, I can write notes
> if/when I get it going.

So what you are really trying to do is copy or move principals from AD
to some other realm keeping the same password for the user. As I understand
it AD keeps the password in the database hidden some where. If your domain
also supports NTLM authentication, then it might be possible to
access the NTLM copy of the password instead. They should be in sync.


> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444