Very Computer

Howdy,

Recently decided to s*my WWW/FTP hosting machine (dual Pentium Pro 200
MHz, 128 MB RAM, running Microsoft IIS 4.0) in favor of FreeBSD 4.4-RELEASE
and Apache (probably 1.13.22).  Although I am doing web hosting stuff on
this machine, the rest of my household is on a Windows 2000 Active Directory
domain which, as you may be aware, uses Kerberos 5 as authentication
mechanism.

The question is:  Has anyone ever attempted to integrate a BSD machine into
a Win2K infrastructure using Kerberos?  What I would ideally like to do is
not only sharing files between all the machines in my house (which can
easily be done using Samba), but passing authentication credentials to the
BSD machine as well so that I maintain a single-logon architecture?

Looking forward to comments and feedback.  TIA.

Simon Chang

From what I've heard, MS "embraced and extended" Kerberos, and passes
some additional proprietary info.  I seem to recall you might be better
off running the KDC on a Unix box.  More info on this here
http://www.veryComputer.com/#ntbroken

Here's a Kerberos reference to bookmark http://www.veryComputer.com/

Quote:> Howdy,

> Recently decided to s*my WWW/FTP hosting machine (dual Pentium Pro 200
> MHz, 128 MB RAM, running Microsoft IIS 4.0) in favor of FreeBSD
4.4-RELEASE
> and Apache (probably 1.13.22).  Although I am doing web hosting stuff on
> this machine, the rest of my household is on a Windows 2000 Active
Directory
> domain which, as you may be aware, uses Kerberos 5 as authentication
> mechanism.

> The question is:  Has anyone ever attempted to integrate a BSD machine
into
> a Win2K infrastructure using Kerberos?  What I would ideally like to do is
> not only sharing files between all the machines in my house (which can
> easily be done using Samba), but passing authentication credentials to the
> BSD machine as well so that I maintain a single-logon architecture?

This isn't relevant to Kerberos, but Samba will accept Windows 2000
authentication just fine.  You do need to essentially duplicate the user
list on the FreeBSD machine, though, which is probably what you're trying to
avoid.  Anyway, if you want to go this route just have "encrypt passwords =
yes" in smb.conf and run "smbpasswd -a" for all your windows users.

JN

Greetings:

        I am certainly no expert (rather being an idiot) but I seem to recall
that if the Win2K domain is native mode it doesn't do NTLM auth; (don't
remember if this was automatic or whether I turned it off manually) for
backwards compatibility with NT 4.0/NTLM the domain servers need to be
using Mixed mode. I believe Mixed mode can be up converted to native, but
not vice versa without reinstall. I think NTLM is what SAMBA works with..

[snip]

Quote:> This isn't relevant to Kerberos, but Samba will accept Windows 2000
> authentication just fine.  You do need to essentially duplicate the user
> list on the FreeBSD machine, though, which is probably what you're trying
> to
> avoid.  Anyway, if you want to go this route just have "encrypt passwords
> = yes" in smb.conf and run "smbpasswd -a" for all your windows users.

> JN

I was doing some reading on K5 a while back and ran across the
following URL which may be useful:

  http://www.microsoft.com/windows2000/techinfo/planning/ \
        security/kerbsteps.asp

It's how to have Win2K and an MIT K5 implementation talk to each
other. I haven't tried it myself so I don't know how accurate it is.

--
David Magda <dmagda at ee.ryerson.ca>
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI

Not a BSD, but I once did successfully configure one Solaris box
to authenticate with a W2K kerberos realm. I found a step-by-step
guide from the MS website, and it's probably this:
<http://www.microsoft.com/WINDOWS2000/techinfo/howitworks/
communications/trafficmgmt/rsvp.asp>

I can't verify if it is the document I mean, because our Citrix-
server is dead, and Microsoft offers only .doc-documents... If
that's a wrong page, please let me know, I might have the
correct one bookmarked on my laptop.

--
  Eino Tuominen

Quote:> Greetings:

>         I am certainly no expert (rather being an idiot) but I seem to
recall
> that if the Win2K domain is native mode it doesn't do NTLM auth; (don't
> remember if this was automatic or whether I turned it off manually) for
> backwards compatibility with NT 4.0/NTLM the domain servers need to be
> using Mixed mode. I believe Mixed mode can be up converted to native, but
> not vice versa without reinstall. I think NTLM is what SAMBA works with..

Untrue, ADS DC`s retain NTLM authentication on all domain controllers
whether in Native or Mixed mode.

Either the current or previous month's SysAdmin mag has an article on
doing this from a LINUX box, which should be close enough to be
useful.

MLS

Yes, I looked back at my notes and I turned it off manually as I no longer
have need of it. You are indeed correct. It is for backwards compatibility
and in a pure Win2K not needed. I use the Kerberos auth + Ipsec data
communications on the inner lan. My bsd stuff is all in the DMZ, so while
someone may be playing in the dmz it might give me time to recognize and
counter before breeching the inner firewall. And if they get though the
inner the beast is different. I just thought that the ipsec may be a little
more difficult to deal with. I tried bsd as an expirement to test a
hypothesis that a more mature OS could run interference and create a buffer
of protection between the $MS and the Inet. It has largely worked well.