[19631] in Kerberos
RE: Windows 2000 Server as KDC
daemon@ATHENA.MIT.EDU (Mel Riser)
Tue Jul 22 11:07:28 2003
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Date: Tue, 22 Jul 2003 10:05:49 -0500
Message-ID: <A0E465D8EE21FE4EA9DB3C11F48EB1FB015654E4@europa.mesas.mis>
From: "Mel Riser" <mel.riser@fxfn.com>
To: "Ken Hornstein" <kenh@cmf.nrl.navy.mil>, "John Rudd" <jrudd@ucsc.edu>
Content-Transfer-Encoding: 8bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
EXACTLY
plus the krb4 versions had so many bad security flaws, we had no choice. when the bad krb4 bug came out last year, we removed any dependencies or backwards compatible 4 code and just use 5.
mel
-----Original Message-----
From: Ken Hornstein [mailto:kenh@cmf.nrl.navy.mil]
Sent: Tuesday, July 22, 2003 9:52 AM
To: John Rudd
Cc: kerberos@mit.edu
Subject: Re: Windows 2000 Server as KDC
>> an easier solution would be to setup a windows realm for Win2k KDC and a cross re
>alm trust with a linux box in a different realm.
>>
>
>We were doing this (with Solaris, not Linux), but when the bug and fix
>for the cross-realm security hole came out a few months ago, that caused
>it all to break (we need krb4 cross-realm auth because AFS is in the
>picture). So, we're basically running an older un-patched krb524d in
>order to keep things working ... but that doesn't make me comfortable in
>the long run, so I'm looking for other solutions.
So why haven't you switched to a V5 solution for AFS? Lots of people
have done this, and it works just fine, even with cross-realm. This
is assuming you're running a new enough version of OpenAFS, of course.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
