[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSO (Kerberos), samba and windows XP desktop

To: heimdal-discuss@sics.se, paul@subsignal.org
Subject: Re: SSO (Kerberos), samba and windows XP desktop
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Tue, 10 Apr 2007 18:49:34 -0700
In-Reply-To: <461BFB89.9000700@subsignal.org>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <ad30fc090703161426t6ff7fd88m4a23a08c2c3c6efc@mail.gmail.com> <200704100709.24711.gohmann@univention.de> <4719BF1E-2E43-4757-A39A-8BC553209F25@jpl.nasa.gov> <1176227942.10310.25.camel@thales> <461BFB89.9000700@subsignal.org>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

On Apr 10, 2007, at 2:03 PM, paul@subsignal.org wrote:

> Pat Riehecky schrieb:
>> For what my $0.02 are worth http://www.openinput.com/auth-howto/  
>> may be
>> a good resource for pointing you in a direction (right or wrong I  
>> cannot
>> say)
> Nope, thats not going to help. The basic problem is: You won't get a
> ticket (with pac and all) for windows clients from a non AD KDC,  
> period.

You can "join" a Windows machine to an MIT (or Heimdal) Kerberos  
realm.  Microsoft hasn't updated the documentation since W2K, so the  
exact procedure is more obscure than one would like.  I see they've  
yanked the old document too.  Basically you need to define a "host"  
principal in the realm for your workstation and then get all the  
config information for the realm defined.  Finally you define a  
mapping between usernames and Kerberos principals.

I've done it a couple of times on virtual PCs, and it works as  
advertised.  Getting Windows to accept RC4 keys instead of only  
single-DES keys from a non-AD realm can get tricky though.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- Re: SSO (Kerberos), samba and windows XP desktop
  - From: Stefan Gohmann <gohmann@univention.de>
- Re: SSO (Kerberos), samba and windows XP desktop
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: SSO (Kerberos), samba and windows XP desktop
  - From: Pat Riehecky <prieheck@iwu.edu>
- Re: SSO (Kerberos), samba and windows XP desktop
  - From: paul@subsignal.org

Prev by Date: Time Corrections in the KDC
Next by Date: Re: SSO (Kerberos), samba and windows XP desktop
Prev by thread: Re: SSO (Kerberos), samba and windows XP desktop
Next by thread: Re: SSO (Kerberos), samba and windows XP desktop
Index(es):
- Date
- Thread