One way to have windows clients participate is to modify your clients to speak directly to your MIT Krb5 instance this can be done by using the ksetup command as follows.
<x-tad-smaller>C:> Ksetup /setdomain REALM.DOMAIN.COM
C:> Ksetup /addkdc REALM.DOMAIN.COM kdc.realm.domain.com</x-tad-smaller><x-tad-smaller>
</x-tad-smaller><x-tad-bigger>
</x-tad-bigger>you will, of course need a security principal on the krb5 instance for this to work properly and if you have more than 20 windows machines it really isn't worth the headache.
Another method is to setup a MIT kerberos/openldap implementation trusted by AD. In this instance you get the benefits of keeping all of your user security principals in one place (openldap/kerberos) and with a full blown AD instance you can still take advantage of computer based gpo's, a shared namespace (if setup properly), etc. By virtue of keeping your clients in openldap you allow SSO to both Windows, *nix, Mac OS X, etc. Unfortunately the setup requires a great deal of research and careful planning. The implementations are often error prone and complicated and if you don't have 45 computer science interns running around to maintain your AD, OpenLdap, Kerberos, Samba, etc. etc. etc. then it gets really messy really quick.
If you are really interested in this undertaking check out the following links:
Windows Stuff
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
OpenLdap and Krb5
http://www.bayour.com/LDAPv3-HOWTO.html<x-tad-bigger>
</x-tad-bigger>
You will also need a good understanding of CYRUS Sasl and Pluggable Authentication Modules.
By far the MS recommended way to do this is to have an AD Install with SFU. I haven't had much time to play with the 3.5 release, however the previous version was both powerful and stable, and it can greatly reduce your administrative overhead to maintain a single directory.
http://www.microsoft.com/windows/sfu/default.asp
On Mar 18, 2004, at 8:29 AM, Roger Seielstad wrote:
What you're really saying is that you don't want to use AD for authentication - not that you want AD to use an external authentication source.Brent Westmoreland
I believe there some articles on the web for getting Windows 2000 and later servers to use something like that - BUT I believe it requires replacing the GINA process on the clients (not a trivial task, especially since they seem to change with every service pack).
Roger
--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-----Original Message-----
From: Lara Adianto [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 18, 2004 7:15 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Can Microsoft Active Directory be configured to authenticate to an external ldap server ??
Hi guys,
As what the subject title said: can Microsoft Active Directory be configured to authenticate to an external ldap server (openLDAP in my case) ?
To make things clearer, this is the objective that I want to achieve:
I want authentication of Microsoft Active Directory's clients to be done by OpenLDAP server on Linux. So, when a client of Microsoft Active Directory authenticates itself to MS AD, MS AD will ask openLDAP for authentication service. openLDAP will return return reject or allow to MS AD.
I believe that this can be achieved by using Kerberos. I currently have GSSAPI mechanism running on my openLDAP server, but I am not sure how to make MS AD talk to my openLDAP server.
Any idea, suggestions, hints will be very appreciated....
Cheers
- Lara -
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
Do you Yahoo!?
Yahoo! Mail - More reliable, more storage, less spam
BMW Group - Data Center Americas
Business: 864.989.6567
