[19632] in Kerberos
Re: Windows 2000 Server as KDC
daemon@ATHENA.MIT.EDU (John Rudd)
Tue Jul 22 11:27:30 2003
Date: Tue, 22 Jul 2003 08:25:13 -0700
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v552)
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
From: John Rudd <jrudd@ucsc.edu>
In-Reply-To: <200307221452.h6MEqEsG028607@ginger.cmf.nrl.navy.mil>
Message-Id: <B0B6E748-BC58-11D7-A34A-003065F939FE@ucsc.edu>
Content-Transfer-Encoding: 7bit
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
On Tuesday, Jul 22, 2003, at 07:52 US/Pacific, Ken Hornstein wrote:
>
>>> an easier solution would be to setup a windows realm for Win2k KDC
>>> and a cross re
>> alm trust with a linux box in a different realm.
>>>
>>
>> We were doing this (with Solaris, not Linux), but when the bug and fix
>> for the cross-realm security hole came out a few months ago, that
>> caused
>> it all to break (we need krb4 cross-realm auth because AFS is in the
>> picture). So, we're basically running an older un-patched krb524d in
>> order to keep things working ... but that doesn't make me comfortable
>> in
>> the long run, so I'm looking for other solutions.
>
> So why haven't you switched to a V5 solution for AFS? Lots of people
> have done this, and it works just fine, even with cross-realm. This
> is assuming you're running a new enough version of OpenAFS, of course.
>
We're not running OpenAFS. Still Transarc AFS.
I hadn't heard that there's a pure krb5 solution for AFS, though ...
even with OpenAFS.
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
