We've been testing MIT Kerberos as a centralized authentication mechanism for Linux/UNIX and Windows boxes for the past several months. My test setup consists of one master and two slave (read only) KDC's runing RHEL AS 3.0 and a myriad of clients. So far, all is well on the Linux/UNIX client side, but I keep running into a problem with the Windows client setup, ksetup on WinXP specifically.
The ksetup utility doesn't allow me to specify an admin server separate from my KDCs. I would like all of the "normal" ticket requests to go to the slave KDCs and the "admin" traffic to go to the admin server. As it stands, I cannot change passwords on the Windows box unless I've only specified the admin server. Not only is this a drain on my admin server's resources, it's a single point of failure for my Windows clients. I can see a few solutions, but haven't found anyone that's put together a good tutorial for doing this yet: (1) Allow for multi-master admin servers -- Microsoft seems to have this in AD, but from my research, the master KDC is a single point of failure in the MIT implementation. If this worked, delta-level replication would happen from KDC to KDC (no more master -> slave propagation). (2) Alter the Kerberos setup under Windows to specify separate admin and KDC servers. This would solve my immediate problem, but it still appears to me that a single admin server is a single point of failure for password changes. (3) Redirect admin server requests at the slave KDCs. I'm not even sure if this would work, but if I were to set up a NAT tunnel from the kpasswd service on my slave KDC to my admin server (and back again), the client would think that the slave is handling the password change request. I'm sure that there are more issues that I haven't thought of or run into yet. I'd appreciate any guidance that you may be able to provide. Thank you, Jason Hardy -- Jason T Hardy Unix Systems Administrator Office of Information Technology University of Texas at Arlington http://www.uta.edu/linux/ ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
