[31594] in Kerberos
Re: Connecting Windows 2003 to separate MIT Kerberos Server?
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Fri Oct 16 11:21:19 2009
Message-ID: <4AD88F4A.4020804@anl.gov>
Date: Fri, 16 Oct 2009 10:20:42 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Tomas Gustavsson <tomplast@gmail.com>
In-Reply-To: <b5b729e50910160753w1c52883ex2adfb308169e6333@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Tomas Gustavsson wrote:
> Hi!
>
> My name is Tomas and I'm trying to set up MIT Kerberos on a Linux server and
> I would like Microsoft Windows 2003 Server (and all clients connected to it)
> to my "Linux Kerberos" instead of the native one in Windows. Maybe I have
> misunderstood some parts here and there and I'm a beginners when it comes to
> Kerberos (started reading about it a couple of days ago) but I have chosen
> this as my final project, I'm studying to become a (junior) Linux
> administrator.
Sound more like a master level project to me :-)
> I have Googled and looked into some documents but I can find
> anything useful that helps me do what I want. So if you can tell me if it's
> possible to make Windows 2003 Server to use an separate MIT Kerberos server
> and how it's done then I would be very happy.
>
Short answer, Windows expects Kerberos tickets to have a PAC which has authorization
data with SUID and Group membership stuff maintained by Windows Active Directory.
This is carried by an extension to the Kerberos protocol. The PAC is added by Windows AD.
So you need either:
(1) Cross realm between a kerberos realm and AD domain where you authenticate to
Kerberos, and the cross realm TGT will get a PAC. Start here as this might
give you other ideas too. Its old but short and most of it still applies.
http://technet.microsoft.com/en-us/library/bb742433.aspx
(2) Use Kerberos server which can add the PAC. But it then needs the Authorization
database too. Have you looked at Samba yet?
>
> P.S I'm only having a couple of days to complete the project so time is of
> the essence. D.S
Good luck...
>
> Thank you.
>
> Best regards
> /Tomas Gustavsson
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
