Hello, I've been experimenting with heimdal kerberos on the cross-realm authentication, for windows 2000 clients to authenticate to heimdal KDC, and just found out that there seems to be a problem with the changing password interoperability between the win2k client and heimdal KDC.
Therefore, I intend to switch to MIT Kerberos but need to confirm the interoperability features of MIT KDC and windows clients: 1. Is the any issue of change password incompatibility between MIT KDC and windows clients ? Will a user from a win2k / winXP machine be able to change his/her password in MIT KDC using ctrl-alt-del or when the password is expired ? In the following link: http://mailman.mit.edu/pipermail/kerberos/2004-April/005326.html, Jeffrey Altman wrote: "I have just tested MIT KDC 1.3.3 with two machines. One which is part of a Windows domain which uses cross-realm trust with a MIT KDC to perform login. In this case the password change does not appear to work on expiration." Has anyone found a way to solve the above problem ? or is this still a limitation of the interoperability between MIT Kerberos KDC and windows client ? 2. Quoting from the paper of Michael Swift, Irina Kosinovsky and Johathan Trostle titled Implementation of Crossrealm Referral Handling in the MIT Kerberos Client: "The Windows 2000 client does not canonicalize names at all, so the short name is sent to the KDC." Hence, if my understanding is correct, a request for service: host/service-name.foo.org will be sent to MIT Kerberos KDC as host/[EMAIL PROTECTED] and not as host/[EMAIL PROTECTED] How does MIT Kerberos determine the 'right' realm to be used in issuing a referral ticket for the client's request ? DNS ? Krb5.conf ? Does this mean that every service-name must have an entry in the DNS or Krb5.conf. For example: serviceA = realmA serviceB = realmB This will be tedious if we have to specify the mapping for every possible service or host that we have in a domain one by one right ? Regards, lara ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
