[28601] in Kerberos
Re: Kerberos setup help
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Oct 24 11:34:35 2007
Message-ID: <471F65C2.4080104@anl.gov>
Date: Wed, 24 Oct 2007 10:33:22 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Ramesh Rao <rao.rao.d@gmail.com>
In-Reply-To: <db0a16b90710240025r4256b4fes6bc508a88bf81ca1@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ramesh Rao wrote:
> Hi
>
> i have 2 win2003 servers , and in one of the system installed AD Server,
> can you please help by sendingthe steps how to configure the Kerberos
Just off the top of my head some issues:
Start here: http://technet.microsoft.com/en-us/library/Bb742433.aspx
AD 2003 and newer Kerberos can all do RC4, so you are not limited to DES.
The Microsoft PAC in a ticket can make the ticket very large
which might cause problems for some Unix applications
see http://support.microsoft.com/kb/832572
AD has a password for an account, but an account can have
multiple UPN and SPNs. (The key for the principal is derived
by the KDC from the password.) So best to have each service
principal have its own account.
Adding accounts with SPNs to AD can be done with ktpass
Goolge for msktutil that uses OpenLDAP and SASL/gssapi to
update AD and krytab files. (Samba can do some of this too.)
AD can do referrals, Kerberos still uses the krb5.conf [domain_realm]
So AD clients may have problems finding services registered in
a non AD realm. There is some way to use the Global Catalog
to add the mapping.
>
> Regards
> Ramesh
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos