[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Questions about LDAP, Heimdal and 2003 Server

To: Timothy J Miller <tmiller@mitre.org>
Subject: Re: Questions about LDAP, Heimdal and 2003 Server
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Thu, 31 Jan 2008 09:44:42 -0800
Cc: heimdal-discuss@sics.se, <mailing-nospam@iit.ionis-group.com>
In-Reply-To: <B589E9D0-FE9E-4926-9F2E-C35264D16112@mitre.org>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <sympa.1201743684.29636.933@sics.se> <6D5062BC-FC78-4827-A22B-5B9117AAA0BC@jpl.nasa.gov> <B589E9D0-FE9E-4926-9F2E-C35264D16112@mitre.org>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

On Jan 31, 2008, at 8:53 AM, Timothy J Miller wrote:

> On Jan 30, 2008, at 8:54 PM, Henry B. Hotz wrote:
>
>> You can deploy a Windows Domain with a cross-realm trust to  
>> Kerberos, but the LDAP information for Windows will be on the  
>> Domain controller.
>>
>> You might be able to replace your W2K3 server with a Samba 4  
>> server (which bundles a version of Heimdal), but this isn't the  
>> place to ask about that.
>
> Also, recall that Windows services require authorization-data to be  
> populated in the ticket, something that most KDCs don't do.
>
> -- Tim

The authz-data is populated by the DC in the service tickets in the  
cross-realm case.  That's why you need to buy a license based on the  
number of non-Windows Kerberos entries.  (No, there's no authz-data  
in the original tgt, or the cross-realm tgt, but the service never  
sees those.)

In the Samba 4 case I believe they have implemented extensions for  
the authz-data in their version of Heimdal.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- Questions about LDAP, Heimdal and 2003 Server
  - From: <mailing-nospam@iit.ionis-group.com>
- Re: Questions about LDAP, Heimdal and 2003 Server
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Questions about LDAP, Heimdal and 2003 Server
  - From: Timothy J Miller <tmiller@mitre.org>

Prev by Date: Kerberos and Load balancing
Next by Date: Re: Kerberos and Load balancing
Prev by thread: Re: Questions about LDAP, Heimdal and 2003 Server
Next by thread: Re: Questions about LDAP, Heimdal and 2003 Server
Index(es):
- Date
- Thread