On Thursday 29 April 2004 01:00, Yonah Russ wrote: > Active directories is very heavy on kerberos- it's theoretically > possible to use the same kerberos for both the active directory and > linux- I've read you can even convince active directories to use a linux > kerberos server.
I would be very cautios about this. Take a look at: http://www.usenix.org/publications/login/1997-11/embraces.html As usual, MS "extended" the protocol with some undocumented credential information specific to Windows. They also chose to do it in a brutal way by using fields marked in the RFC as "unused". Now, there is some interoperability: http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp But while it looks obvious that Unix/Linux machines would authenticate against a W2K kdc, I'm not sure if a Win* client that authenticate against a nominal MIT kdc, get all the features (I'm not very fluent in MS-speak :-), or maybe it is only authorized for a "compatibility mode" subset of features (which is what I would expect MS to implement). -- Oron Peled Voice/Fax: +972-4-8228492 [EMAIL PROTECTED] http://www.actcom.co.il/~oron Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
