MIT Kerberos and 2008R2 AD

2011-03-18 Thread Hubert Chomette 
Hello there,
Is there a solution for having a MIT kdc and 2008R2 AD on the same realm?
I got an existing MIT KDC Realm and try to implement a 2008R2 AD for my windows 
clients.
I wish to use the MIT Kdc  as the main authentification process.
Idea is to import account with cron and ldip file to the 2008R2 AD but 
Authentification should continue using MIT Kdc.

Is there a solution rather than cross realm trust (which suppose différent 
realm name)? 

Regards,

-Hubert CHOMETTE






Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Question about cross realm authentification

2009-11-13 Thread Hubert Chomette 
Hi,

We try to unify authentification between two departements in our  
university.
The two departments have their own kdc, so cross realm should be the  
more interesting thing.
What I have understand, is that a client from site A with a TGT from A  
can ask for a cross realm TGT for B site and access to all SSOised  
application to B.
But suppose that a user from site A go to site B. How can he  
authentificate on a machine from site B (linux/windows computers using  
kdc B authentification)?
does cross realm permit such things? Or should this user have an  
account on site B to?

Thank's for your help

Regards,

Hubert

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

kerberos and windows XP home edition

2009-06-18 Thread Hubert Chomette 
Hi
I try to add a windows XP home edition on my realm and I've got issue.  
Same setup works with windows XP pro.
Is there an incompatiblity with XP home or do I miss something with  
the configuration?
thank's for your help

regards,




Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: NIS = Kerberos/LDAP Migration

2009-06-02 Thread Hubert Chomette 
Ok Thank's all for your help
I 'll try this.

ps: I try debian experimental package version of  libkrb53,  
pam_migrate and same issue. When added to the common-auth, It just  
hung the console when someone try to login.

Le 20 mai 09 à 01:01, Marcus Watts a écrit :

 Date:Tue, 19 May 2009 12:03:59 PDT
 To:  kerberos@mit.edu
 From:Russ Allbery r...@stanford.edu
 Subject: Re: NIS = Kerberos/LDAP Migration

 Marcus Watts m...@umich.edu writes:

 I'm not sure I understand why
 Authen::Krb5::Admin
 http://search.cpan.org/~korty/Authen-Krb5-Admin-0.11/Admin.pm
 is a problem.  I've run it with various incarnations of MIT 1.4.3 /
 1.6.3 for a while now.  Ok, they weren't stock, but I don't  
 remember doing
 anything special to export the necessary kadm5 functions.  The  
 only messy
 bit is that Authen::Krb5::Admin provides its own header files for  
 the MIT
 functions - that sucks, but that having been said, it basically  
 works.
 Is there something special about debian's MIT kerberos libraries?

 That works -- you just can't use it in a PAM module.  PAM modules
 generally need to be C.  I suppose you could embed a Perl  
 interpreter in
 a PAM module, but that terrifies me.  You could also write a PAM  
 module
 that talks to something written in Perl via a local socket or  
 something,
 but now you're getting into a fair bit of coding.

 Perl would certainly have a startup cost, so yes, not ideal.

 There are pam modules that exec programs -- pam_exec, and
 pam_unix + unix_chkpwd.  Neither of them is quite right for
 this, and exec'ing a program is ugly, but perhaps possible
 (depending on which application(s) need to use this.)

 Using c/remctl in pam, then invoking a perl script would be
 relatively trivial - although running perl like that is still
 going to incur the startup cost.  Running perl once and not
 on each authentication attempt is going to need some form of ipc,
 be it local sockets or whatever.

 To do the local socket thing in perl, this perl module
 is useful:
   Socket::MsgHdr
 http://search.cpan.org/~mjp/Socket-MsgHdr-0.01/MsgHdr.pm

 It's quite possible to write servers or clients in perl that
 use local (unix domain) sockets.  In some existing code,
 I seem to have used about 350 lines of perl (and the above
 module) to do most of the socket management and argument
 packing/unpacking.

 ...

 For a completely different solution: if you were willing to modify the
 kdc/kadmin as well as the client, and really weren't at all afraid of
 coding, you could add a crypt salt type, and simply import your nis
 password database directly into your kerberos database.  I did this
 at one point (with an experimental crypto system based on cast-5); it
 took me approximately 360 extra lines in just 5 files to handle this.
 Of course, the devil is in the details, and this was *not* a stock
 kerberos code base.

 Personally, if I was going for the simplest least code approach, I'd  
 use
 the steal the headers approach and just call kadm5 from inside the  
 pam
 module.  I might set up a special service principal that is acl'd to
 only be able to invoke ank.

 If I was going for most secure, I'd have a separate daemon that
 validated the password matched the crypt string from nis, then
 created a kerberos principal that matched.  perl5 might actually
 be ok for the separate daemon.

   -Marcus Watts
 
 Kerberos mailing list   Kerberos@mit.edu
 https://mailman.mit.edu/mailman/listinfo/kerberos




Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: NIS = Kerberos/LDAP Migration

2009-05-19 Thread Hubert Chomette 
So If I correctly understand, I've got two choice:

- migrate my kdc to version 1.7 (I suppose you mean experimental,  
cause there is no major differents release between stable ans  
testing) / or  use heimdal kerberos

- make my own pam module using perl to send login/passwd with kadmin



Le 18 mai 09 à 20:00, Russ Allbery a écrit :

 Hubert Chomette hubert.chome...@unilim.fr writes:

 I try to use pam_krb5_migrate pam module on debian lenny using  
 package
 pam-krb5-migrate-heimdal package.

 I've see past messages on this subject :
 http://www.mail-archive.com/kerberos@mit.edu/msg12701.html
 Does this module works with MIT kerberos ?
 I try to do, but don't succeed.

 This module won't work with the MIT Kerberos in lenny since it didn't
 provide a public API for the kadmin libraries.  This is fixed in  
 squeeze
 (the current testing), but that's probably not horribly helpful for  
 your
 current purpose.  :/

 -- 
 Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ 
 




Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

NIS = Kerberos/LDAP Migration

2009-05-18 Thread Hubert Chomette 
Hi
I try to use pam_krb5_migrate pam module on debian lenny  using  
package pam-krb5-migrate-heimdal package.
I've see past messages on this subject : 
http://www.mail-archive.com/kerberos@mit.edu/msg12701.html
Does this module works with MIT kerberos ?
I try to do, but don't succeed.

thank's fro your help

regards,





Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos