[EMAIL PROTECTED] wrote: > Hi, folks > > I've tested the openLDAP+MIT kerberos+SASL/GSSAPI on Linux (and I'm quite > happy with it), but I'll need the client-side support on the windows side > as well. Anyone knows of some good online docs that explain what has to be > done on the windows side? > > For instance, there is apparently no stable SASL for windows > (http://asg.web.cmu.edu/cyrus/download/sasl/windows.html), so what's used > for SASL/GSSAPI? :-)
I am not aware of an alternative implementation of SASL for Windows. The indication from this page is that the SASL-GSSAPI builds against the CyberSafe sources. You should be able to modify that to build against the MIT Kerberos for Windows 2.6.x SDK quite easily. > Closely related: I want to set up windows AD controller in such a way that > the password for all users is checked against MIT kerberos KDC. Use cross-realm authentication and have your user authenticate using the MIT KDC realm principal instead of the mapped Active Directory accounts. > Now, windows machines have a built-in support for kerberos, and that's all > that's needed for login purpose. Do I still need to install > MIT kerberos 4 Windows on all the windows client machines, or not? Microsoft does not export a Kerberos programming API. They only provide the Kerberos SSP which has semantics similar to GSSAPI but with a different API and some wire compatibility issues depending on how it is used. If you wish to use the same sources for Kerberos 5 and GSSAPI on Linux and Windows, then you should install the MIT KFW 2.6.x package on your clients and build your applications against that framework. Depending on your needs you can either import the Microsoft LSA credentials into a new MIT Kerberos credentials cache or access the MS LSA credentials in read-only mode via the MIT krb5_ccache "MSLSA:" ccache interface. Jeffrey Altman ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
