w2k client login to kerberos realm
foo@commerceflow.com
foo at commerceflow.com
Mon Nov 11 23:18:16 EST 2002
> > Impirical evidence suggests you're giving an incomplete answer here.
> > I have a W2K box on my desk for which I log into an MIT account which
> > is mapped by the domain to a domain account. No local account exists.
>
> Hmm not sure how you did that as it conflicts directly with the
> documentation on the microsoft website, and my own experience.
>
> If there's a way to get it to work it'd be useful to me, as at the moment
> I have to choose between kerberos or domain login when logging in.
Microsoft did document this, in the kerbsteps.asp file. look at the
"Setting Trust with a Kerberos Realm" section of
http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/kerbsteps.asp
I set up a test network that did something like this awhile ago. It's
long gone, so I can't pull configs off it, but here's what I remember
from my notes: (it appears the same as what's at the URL I listed)
the AD realm is WOFFICE, the kerberos realm is OFFICE
the workstations need a krb5.conf equivlent entry for OFFICE, use
ksetup /addkdc to make it.
the realms need a shared key (I think)
each account needs a mapping account mapping between the realms. use
"Active Directory Users and Computers" to map foo at WOFFICE to
foo at WOFFICE
the workstation's login screen will have 2 realms. the kerberos one,
and the AD one. Users shouldn't know the passwords in the AD realm,
and if they select the kerberos one all the right things
happen. (they can also just login as foo at OFFICE, and it'll figure
out the right realm)
seph
More information about the Kerberos
mailing list