[OpenAFS] Re: Slightly unrelated question
Fri, 28 Jan 2011 13:25:24 +0100
* Andrew Deason [2011-01-27 09:53:47 -0600]:
> On Thu, 27 Jan 2011 15:15:02 +0100 (CET)
> Harald Barth <firstname.lastname@example.org> wrote:
> > > No Windows AD/KDC planned, but Windows clients integration with
> > > standard KDC and possibly OpenAFS will be important.
> > Good luck with not needing an AD, but I think both Heimdal and MIT can
> > be cross realmed with an AD when you need it.
> To be clear, Meie, do you want to use Heimdal/MIT Kerberos for
> authentication for logging in to Windows, or do you just want tickets
> after you have logged in?
> Integration with the Windows login system I believe is almost always
> done via AD. I think it's possible to not use AD if someone wrote a
> Kerberos pGina plugin (or maybe Samba, but that's just replacing AD, not
> getting rid of its role), but as far as I know nobody does that.
Polyphemus' famous word :-)
I do have a handful (too few to bother with an AD) of Windows
boxes that authenticate against a Heimdal KDC. I did *not* need to
replace MSGINA. Microsoft provides a set of Support Tools (on the
Windows installation media, and as a download) that includes a
command-line utility known as ksetup. Microsoft has also published
instructions on how to use it, and they work for me. At least under
Windows 2000 and XP; I haven't had to apply this treatment to a more
recent Windows release yet.
> But if
> you just want to get tickets/tokens after the user has logged in, that
> is much more common and easier to do.
> Andrew Deason