[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal client for Windows



On Mon, 2007-01-29 at 07:10 +0100, Stefan Gohmann wrote:
> Am Sonntag, 28. Januar 2007 23:20 schrieb Michael B Allen:
> > On Sun, 28 Jan 2007 19:51:20 +0100
> >
> > Stefan Gohmann <gohmann@univention.de> wrote:
> > > Hi Henry,
> > >
> > > Am Freitag, 26. Januar 2007 20:22 schrieb Henry B. Hotz:
> > > > I had an exchange with Jeffrey Altman on MIT's krbdev list where I
> > > > worked through all the config items in Mozilla relatives to make a
> > > > Windows client use the Kerberos libraries in KfW.  You ought to be
> > > > able to find it with Google.  It works.
> > >
> > > that's very nice.
> > >
> > > > MS IE will always use the Microsoft kerberos implementation and the
> > > > tickets in the LSA.
> > >
> > > Does that mean, it is not possible that the MS IE uses the ticket from
> > > the Heimdal KDC?
> >
> > Not quite. IE could get a ticket from a Heimdal KDC but it would only
> > do so by going through the Local Security Authoriy (LSA). Meaning,
> > if you could run Heimdal client libs on a Windows client and the libs
> > used some kind of ccache file, IE would not be able to use it. The
> > Heimdal port would have use the credential cache associated with the
> > logon session. Meaning it would have to have some LSA code to store and
> > retrieve credentials (code that MIT has and could largely be copied).
> >
> > Personally however I don't understand why someone would want to run
> > alternative Kerberos libraries on a Windows client. Unless perhaps you're
> > porting some *nix software that uses the MIT/Heimdal API maybe.
> 
> Thanks for your answer. Maybe it helps, if I explan what I want to do.
> I have a Linux server with Heimdal KDC, Samba3, Apache with mod_auth_kerb and 
> a Windows XP Client, which is member in the Samba3 domain.
> After the user logon on the windows client the user should get a kerberos 
> ticket, so that he could do a single sign on to the Apache server with his 
> Internet Explorer. Do I have other options as using the KfW libraries?

These are exactly the reasons I'm working on Samba4.  This will allow
you to get the ticket at domain logon, which is what you want...

For a similar effect (single sign on to the apache server) see
mod_auth_ntlm_winbind.  

NTLMSSP sucks, but works.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

This is a digitally signed message part