Re: Kerberos on Windows
- From: Chris Lowe <chris.lowe@xxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 8 Mar 2008 03:30:25 +1100
After some long and painful research, I've discovered the mit2ms command, which only works in Vista.
Does anything implement this functionality in XP?
-Chris
On 07/03/2008, at 10:56 PM, Chris Lowe wrote:
Hi there,
I'm having major problems with Kerberos on Windows. I should mention
that I'm a complete n00b when it comes to these things, and I'm
really trying to spread my wings.
I'm an I.T. tech at a high school in Australia. We use Windows 2003
(R2, SP2) domain controllers and XP workstations in a domain
environment. There are also some Mac OS X 10.3/4/5 machines; also in
play here are a few Linux servers - I've successfully set up our
intranet site (PHP on Apache) to use Kerberos authentication, bound
both linux servers to AD, and we're now working on squid authing via
kerberos as well. The ultimate goal here is single-sign-on, with
fallback to prompting the user to sign in if they don't have a ticket.
Staff laptops aren't joined to the domain.
On staff mac laptops, by just adding kinit user@DOMAIN to their
"connect to network" script, users are able to connect to CIFS shares
and printers on the AD2k3 servers with no problems, and Safari passes
kerberos auth details to the intranet servers. This is a beautiful,
incredibly simple solution, especially when compared to some of the
previous AppleScript "solutions".
On non-domain Windows XP laptops, that couldn't be further from the
truth. Using MIT KfW's Network Identity Manager (or kinit), I'm able
to request a ticket for the domain - no problems there. I can even do
this for other users; I can even do this from workstations on other
2k3 domains. However, from what I read, these tickets are only
available to programs which use the KfW API and aren't accessible by
any other programs - for example, Internet Explorer, or Windows' CIFS/
SMB client.
Ideally, what I want to do on the non-domain Windows laptops is
something along the lines of calling kinit from a "Connect to
Network" script, which would then allow network drives to be mapped
and any other kerberos resource in the domain to be used without the
staff member being prompted for a password, as described for our Mac
clients. At the moment it looks like it isn't actually possible to do
this in Windows XP.
PLEASE help! :-)
---
Chris Lowe
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
---
Chris Lowe
I.T. Technician
Diamond Valley College, Victoria
T: (03) 9438 8232
W: www.dvallcoll.vic.edu.au
E: chris.lowe@xxxxxxxxxxxxxxxxxxxx
.
- Prev by Date: Kerberos on Windows
- Next by Date: Help: noaddresses help
- Previous by thread: Kerberos on Windows
- Index(es):
Relevant Pages
|
