Hi there, I'm having major problems with Kerberos on Windows. I should mention that I'm a complete n00b when it comes to these things, and I'm really trying to spread my wings.
I'm an I.T. tech at a high school in Australia. We use Windows 2003 (R2, SP2) domain controllers and XP workstations in a domain environment. There are also some Mac OS X 10.3/4/5 machines; also in play here are a few Linux servers - I've successfully set up our intranet site (PHP on Apache) to use Kerberos authentication, bound both linux servers to AD, and we're now working on squid authing via kerberos as well. The ultimate goal here is single-sign-on, with fallback to prompting the user to sign in if they don't have a ticket. Staff laptops aren't joined to the domain. On staff mac laptops, by just adding kinit [EMAIL PROTECTED] to their "connect to network" script, users are able to connect to CIFS shares and printers on the AD2k3 servers with no problems, and Safari passes kerberos auth details to the intranet servers. This is a beautiful, incredibly simple solution, especially when compared to some of the previous AppleScript "solutions". On non-domain Windows XP laptops, that couldn't be further from the truth. Using MIT KfW's Network Identity Manager (or kinit), I'm able to request a ticket for the domain - no problems there. I can even do this for other users; I can even do this from workstations on other 2k3 domains. However, from what I read, these tickets are only available to programs which use the KfW API and aren't accessible by any other programs - for example, Internet Explorer, or Windows' CIFS/ SMB client. Ideally, what I want to do on the non-domain Windows laptops is something along the lines of calling kinit from a "Connect to Network" script, which would then allow network drives to be mapped and any other kerberos resource in the domain to be used without the staff member being prompted for a password, as described for our Mac clients. At the moment it looks like it isn't actually possible to do this in Windows XP. PLEASE help! :-) --- Chris Lowe ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
