[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSO (Kerberos), samba and windows XP desktop

On Apr 10, 2007, at 2:03 PM, paul@subsignal.org wrote:

> Pat Riehecky schrieb:
>> For what my $0.02 are worth http://www.openinput.com/auth-howto/  
>> may be
>> a good resource for pointing you in a direction (right or wrong I  
>> cannot
>> say)
> Nope, thats not going to help. The basic problem is: You won't get a
> ticket (with pac and all) for windows clients from a non AD KDC,  
> period.

You can "join" a Windows machine to an MIT (or Heimdal) Kerberos  
realm.  Microsoft hasn't updated the documentation since W2K, so the  
exact procedure is more obscure than one would like.  I see they've  
yanked the old document too.  Basically you need to define a "host"  
principal in the realm for your workstation and then get all the  
config information for the realm defined.  Finally you define a  
mapping between usernames and Kerberos principals.

I've done it a couple of times on virtual PCs, and it works as  
advertised.  Getting Windows to accept RC4 keys instead of only  
single-DES keys from a non-AD realm can get tricky though.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu