On Thu, May 26, 2011 at 4:43 PM, Vijay Sankar <vsan...@foretell.ca> wrote:
> I have some experience, not all of it good. Currently I am using Samba and
> LDAP for MS Clients in production mode. I am experimenting with AFS etc., and
> that does work well but only on i386. Ideally I would like to have a solution
> that keeps OpenBSD on amd64 at the centre and have all users on Mac, MS
> Clients, mobile devices, and Linux all get authenticated by their OpenBSD
> accounts. So I am still looking ...
>
> I am not sure whether this topic is of much interest to people on misc@ so
> please feel free to send me private email.
>
> On 2011-05-26, at 3:27 PM, Friedrich Locke wrote:
>
>> Hi,
>>
>> i would like to get in touch with ones that have experience
>> implementing kerberos in heterogenous networks (OpenBSD server,
>> heimdal and MS clients). If you are one, would you mind sending me a
>> note?
>>
>> Thanks in advance.
>>
>> Fried.
>>
>
> Vijay Sankar
> vsan...@foretell.ca
>
>
I use MIT Kerberos and authenticate to that from Windows 7. I imagine
a lot of the same applies to the Heimdal implementation. Basically,
it consists of these steps:
1. Get the KDC running and operational, including kadmin
2. Create a principal for the Windows host:
kadmin
addprinc -pw somepasswd host/hostname.domain.org@REALM
3. Create a user principal:
kadmin.local
addprinc username/admin@REALM
addprinc username@REALM
4. Configure Windows to use the KDC:
ksetup /setrealm REALM
ksetup /setdomain DNSDOMAIN
ksetup /addkdc REALM kdcdnsname
ksetup /setcomputerpassword somepasswd
ksetup /mapuser krbuserprincipal@REALM localusername
ksetup /mapuser * *
ksetup /addkpasswd HOME.ARSWIKI.ORG galadriel.home.arswiki.org
5. Reboot
You can check the configuration like this:
C:\Windows\system32> ksetup
default realm = REALM (external)
REALM:
kdc = kdcdnsname
Realm Flags = 0x0No Realm Flags
Mapping krbuserprincipal@REALM to localusername.
Mapping all users (*) to a local account by the same name (*).
On Windows, for whatever reason, the dnsdomain needs to match the
REALM name. If they are different, things didn't seem to work.
When you log into windows, log in using REALM\username.
The net effect is that Windows will have a Kerberos TGT and a host
ticket upon login. These are usable by Windows applications that are
Kerberos enabled (i.e., Firefox, Chrome, IE, etc.).
The MS kerbtray.exe is useful for verifying that everything is
working. It will show your client principal and tickets. This is
available from the MS website.
I require pre-auth to request a TGT. This works.
Different versions of Windows support different levels of encryption.
Whether the default configuration of Heimdal supports what different
versions of Windows supports I can't say.
Get ready to read through lots of logs. Troubleshooting on Windows is
akin to walking in the dark.
I had issues at first where I could not get apps (browsers) to use the
Kerberos TGT to authentication to Apache servers using mod_auth_kerb.
I got this working, but there are still some unknowns. I installed
the MIT kfw, things started working, then it stopped, then I
uninstalled kfw because I didn't care to have another process running.
Things have been working since then (I can auth to apache via
mod_auth_kerb through FF, IE, Chrome). I plan to test on another
machine to verify, but still some unknowns. This was on Windows 7.
Axton Grams
