Kerberos authentication
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Tue Mar 30 18:10:06 GMT 1999
On Tue, 30 Mar 1999, Sean E. Millichamp wrote:
> On Wed, 31 Mar 1999, Luke Kenneth Casson Leighton wrote:
>
> > On Wed, 31 Mar 1999, Yuji Shinozaki wrote:
> >
> > >
> > > Can you implement the Samba PDC to use KRB5 (or KRB4) authentication?
> >
> > only with modification of either KRB5, KRB4 or the modification of nt
> > clients. none of these are practical.
>
> I don't know if this is what you are referring to by modification of the
> NT clients
yes.
> but the University of Michigan's CITI group has written (or, is
> writing) a new GINA in an attempt to implement a PAM for Windows NT.
> They say they have both a Kerberos 4 and 5 module (among others).
GINAs are not an appropriate place to provide alternative authentication.
microsoft is fully aware of this and deliberately does not provide any
information about the more appropriate API interface (the Local Security
Authority) except if you pay them extortionate amounts of money and if
they like the way that you smell.
therefore, the only _public_ way to provide alternative authentication is
to have a GINA that calls into MSGINA once you have "done your own thing"
sufficient to fool MSGINA into thinking that the [Kerberos, NIS etc] user
exists.
More information about the samba-ntdom
mailing list