[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSO (Kerberos), samba and windows XP desktop *

On Apr 11, 2007, at 2:18 PM, Andrew Bartlett wrote:

>> Cross-realm trusts that don't correspond to DNS domains are really
>> cumbersome to make work.  Still, if nothing else, couldn't you run
>> the Samba copy of Heimdal with the Samba service itself as content?
> I'm not quite sure what you mean here...

In the scenario below, how would a non-windows client know to ask the  
Samba Heimdal KDC for the service ticket instead of the regular KDC?   
(I put stuff in the wrong order.)  The answer is 1) implement  
referrals, and hope all your clients understand them, or 2) try to  
get a custom entry in the [domain_realm] sections of everyone's  
client machines.  Both seem problematic, unless you have a very  
carefully controlled environment.

>> All users would come from your primary Kerberos service.  This is the
>> documented Microsoft way of supporting non-Microsoft Kerberos realms.
> I've just not looked into this yet, but it sounds hairy.

Look at Doug Engert's post earlier in this thread.  Substitute Samba  
Heimdal for AD.

Note that he gives a current, live link to the kerb steps doc from  
Microsoft that I thought had been pulled.

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu