On Fri, 18 Jan 2002, David Lawler Christiansen (NT) wrote:
> It's true that you can't get the token information out of the ticket if > the KDC cannot generate a PAC (presumeably because it is not an MS KDC). > > However, this doesn't render your server useless. What it does do is > deprive you of the benefits that a Windows Domain grants you, which go > far beyond just Kerberos authentication. The server itself is just as > configurable and useful as it was before-- you just have to manage it > differently. > > For example, Windows Domains have Group Policy, which enables you to > make sweeping changes within your domain in a convenient manner. Those > changes can be made without group policy-- it's just not as easy. > > The unix equivalent is something like YP or Hesiod-- if you don't have > them, then you must manage the local account space to match up > principals with accounts. Windows is the same way-- the Domain provides > the authorization and other services. except for the PAC, which is generated/stored in the W2K KDC. in unix (well, modern NSS / PAM and some custom implementations), the information service and the authorisation service are completely independent of each other. whether i use NIS, LDAP, or write my own libc NSS module to refer all queries to a human in real time does not affect whether i use kerberos or whatever for authorisation. and vice versa. with the MS solution they aren't: a tiny piece of the information service is provided by the authorisation service. So in order to avail of the Active Directory information service, i must also use the MS authorisation service. If i dont, i cant use AD. (and can i replace Active Directory with some other information service, eg some LDAP server? probably not. but that's for another list). regards, --paulj
