[OT]: Externalized KDC ...
leet at leenx.co.za
Mon Apr 26 14:09:10 GMT 2004
Thanks for your responce ...
> If the WAN sites are a small number (regionalized?) then you might
> want to simply consider
> using one KDC infrastructure where the KDC has slaves in each WAN
> site. You could go either
> to MIT or to Windows 2000/2003 KDCs rather than have two. Then the
> passwords are synchronized.
That is what I wanted to do, that is put a KDC slave down at each
site, but can one get Win2K3 to sync to an MIT KDC slave? I don't know
and that was what I was asking, or if I could use MIT KDC and get Win2K3
AD to use MIT KDC, but what Luke said is that I would loose NTLM auth,
so my other question was what would that mean, no Win9X system?
> Of course it all depends upon whether each site has its own AD domian
> as well. I am assuming
> you have one OpenLDAP "domain" and one AD domain.
We do have one domain for OpenLDAP and one for AD, for the complete
>> A few questions, and maybe I should explain why I was looking at
>> this ... First, we are
>> trying to bring our Linux ( OpenLDAP ) and AD users together and use
>> one password. Now I know
>> that we could use winbind and friends to do this or I could create a
>> trust between my Linux domain and AD domain, which I have tested both
>> ways, but my problem is that we have a few sites
>> which need auth that are not directory connected to my network ( WAN
>> ), and some times these links go down.
>> Now if I use winbind and kerberos inside AD, my remote users can't
>> auth, and then there systems go down.
>> Now when I saw a message in samba-tech about using an external
>> KDC, I throught that maybe I
>> could put my Kerberos inside my OpenLDAP and replicated that to my
>> remote sites ( which I do with Linux users )
>> and get AD to use the same Kerberos details. I currently create
>> accounts in both system and don't mind to
>> continue to do, if my users can use one password and username.
>> But, you say that we would need something to create NTLM auth.
>> If this was ignored, what would we loose?
>> Things like Win9X? Could we not find a simple way to put in NTLM
>> through the web or something? Any ideas would be
>>> Generally there are two choices: individual workstations can use
>>> an external KDC for authentication, with the proviso that users
>>> must have local accounts; or you can setup a cross-realm trust
>>> between an Active Directory domain and a "MIT" Kerberos realm,
>>> with the proviso that MIT accounts must be duplicated in Active
>>> Directory. In either case you need some sort of password
>>> synchronization in order for downlevel (NTLM) authentication to
>>> ("MIT" in this case is Microsoft-speak for non-Active Directory
>>> Kerberos. You could of course use Heimdal or CyberSafe.)
>>>> A little while ago, I saw chatter about Win2K server using an
>>>> external KDC, is there any more information that any body could
>>>> point me at ...
More information about the samba-technical