[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal client for Windows

On Mon, 29 Jan 2007 07:10:14 +0100
Stefan Gohmann <gohmann@univention.de> wrote:

> Am Sonntag, 28. Januar 2007 23:20 schrieb Michael B Allen:
> > On Sun, 28 Jan 2007 19:51:20 +0100
> >
> > Stefan Gohmann <gohmann@univention.de> wrote:
> > > Hi Henry,
> > >
> > > Am Freitag, 26. Januar 2007 20:22 schrieb Henry B. Hotz:
> > > > I had an exchange with Jeffrey Altman on MIT's krbdev list where I
> > > > worked through all the config items in Mozilla relatives to make a
> > > > Windows client use the Kerberos libraries in KfW.  You ought to be
> > > > able to find it with Google.  It works.
> > >
> > > that's very nice.
> > >
> > > > MS IE will always use the Microsoft kerberos implementation and the
> > > > tickets in the LSA.
> > >
> > > Does that mean, it is not possible that the MS IE uses the ticket from
> > > the Heimdal KDC?
> >
> > Not quite. IE could get a ticket from a Heimdal KDC but it would only
> > do so by going through the Local Security Authoriy (LSA). Meaning,
> > if you could run Heimdal client libs on a Windows client and the libs
> > used some kind of ccache file, IE would not be able to use it. The
> > Heimdal port would have use the credential cache associated with the
> > logon session. Meaning it would have to have some LSA code to store and
> > retrieve credentials (code that MIT has and could largely be copied).
> >
> > Personally however I don't understand why someone would want to run
> > alternative Kerberos libraries on a Windows client. Unless perhaps you're
> > porting some *nix software that uses the MIT/Heimdal API maybe.
> Thanks for your answer. Maybe it helps, if I explan what I want to do.
> I have a Linux server with Heimdal KDC, Samba3, Apache with mod_auth_kerb and 
> a Windows XP Client, which is member in the Samba3 domain.
> After the user logon on the windows client the user should get a kerberos 
> ticket, so that he could do a single sign on to the Apache server with his 
> Internet Explorer. Do I have other options as using the KfW libraries?

I don't think you want KfW at all. XP can get tickets from Heimdal without
KfW. There are two methods (neither of which I'm terribly familiar with
so ...). One is to join XP as a member of a workgroup. That would work
without Samba at all but there will be no LDAP server or RPC services so
there will be no SIDs or any access control to go with. But mod_auth_kerb
would work. The second method is to try to replace the DC with Samba so
that you get LDAP and RPC servers to supply the cental account database
and an experience generally more consistent will regular Windows
networks. In either case I don't think installing additional Kerberos
libs on clients would really do anything for you.


Michael B Allen
PHP Active Directory SSO