Heimdal KDC, Windows XP and local users
Colleagues,
I have configured Windows XP to use a Heimdal KDC for user authentication.
All existing Windows users can authenticate against the KDC, user
mapping is "ksetup /mapuser * *".
However, Windows does not create a new local user with the same name
as the Kerberos princical I try to authenticate as.
Can this be helped? I want to create a new user in the Kerberos
database only, and this user's profile on the Windows machine should
be created automatically.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet [url]http://vas.tomsk.ru/[/url]
Re: Heimdal KDC, Windows XP and local users
Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> wrote:[color=blue]
> I have configured Windows XP to use a Heimdal KDC for user
> authentication. All existing Windows users can authenticate against
> the KDC, user
> mapping is "ksetup /mapuser * *".
>
> However, Windows does not create a new local user with the same name
> as the Kerberos princical I try to authenticate as.[/color]
No, Windows does not, nor should it. You mapped all principals to a
single user account. If you want seperate accounts, you'll need to
actually create the accounts ahead of time and map the principal to the
individual accounts.
[color=blue]
> Can this be helped? I want to create a new user in the Kerberos
> database only, and this user's profile on the Windows machine should
> be created automatically.[/color]
You may be able to get pGina do what you want: [url]http://www.pgina.org/[/url]
<<CDC
Re: Heimdal KDC, Windows XP and local users
> I have configured Windows XP to use a Heimdal KDC for user authentication.[color=blue]
> All existing Windows users can authenticate against the KDC, user
> mapping is "ksetup /mapuser * *".
>
> However, Windows does not create a new local user with the same name
> as the Kerberos princical I try to authenticate as.[/color]
If you have users defined on LDAP, maybe the s+c Authentication
Package ([url]http://sourceforge.net/projects/sc-ap/[/url]) might help you. And
if your valid users are not available anywhere, it is not hard to
modify to drop the LDAP lookups and simply create a local account.
Javier Palacios
Re: Heimdal KDC, Windows XP and local users
Christopher D. Clausen wrote:[color=blue][color=green]
> > I have configured Windows XP to use a Heimdal KDC for user
> > authentication. All existing Windows users can authenticate against
> > the KDC, user
> > mapping is "ksetup /mapuser * *".
> >
> > However, Windows does not create a new local user with the same name
> > as the Kerberos principal I try to authenticate as.[/color][/color]
[color=blue]
> No, Windows does not, nor should it.[/color]
It is a pity.
Windows does it quite well with a Windows domain and with pGina,
so I expected the same behavior for a Kerberos realm. Perhaps there is
some key in the registry to enable creation of local users/profiles
for Kerberos principals?
[color=blue]
> You mapped all principals to a
> single user account.[/color]
Actually not.
[color=blue]
> If you want seperate accounts, you'll need to
> actually create the accounts ahead of time and map the principal to the
> individual accounts.[/color]
In fact, the "* *" mapping works fine for any local account if it
a) has the same name as the corresponding Kerberos principal and
b) has been created ahead of time.
The only problem is creation of local accounts/profiles on the fly.
[color=blue][color=green]
> > Can this be helped? I want to create a new user in the Kerberos
> > database only, and this user's profile on the Windows machine should
> > be created automatically.[/color][/color]
[color=blue]
> You may be able to get pGina do what you want: [url]http://www.pgina.org/[/url][/color]
I know about pGina and have tried it. However my goal was to avoid
installing third party software on Windows workstations, and at the
same time to avoid the excessive complexity of Active Directory.
Kerberos at first seemed to be a good compromise.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet [url]http://vas.tomsk.ru/[/url]
Re: Heimdal KDC, Windows XP and local users
Javier Palacios wrote:[color=blue][color=green]
> > I have configured Windows XP to use a Heimdal KDC for user authentication.
> > All existing Windows users can authenticate against the KDC, user
> > mapping is "ksetup /mapuser * *".
> >
> > However, Windows does not create a new local user with the same name
> > as the Kerberos princical I try to authenticate as.[/color][/color]
[color=blue]
> If you have users defined on LDAP, maybe the s+c Authentication
> Package ([url]http://sourceforge.net/projects/sc-ap/[/url]) might help you. And
> if your valid users are not available anywhere, it is not hard to
> modify to drop the LDAP lookups and simply create a local account.[/color]
Thank you for the link, however LDAP seems superfluous for my purpose.
The goal was to maintain the user database in just one place, and
Kerberos + LDAP mean two places.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet [url]http://vas.tomsk.ru/[/url]
Re: Heimdal KDC, Windows XP and local users
> Thank you for the link, however LDAP seems superfluous for my purpose.[color=blue]
> The goal was to maintain the user database in just one place, and
> Kerberos + LDAP mean two places.[/color]
If you choose ldap backed for heimdal-kdc (>=0.7.2) it becomes a single place.
And it is extremely easy to tweak the scap code to just create the
user account instead of looking up LDAP to check that user actually
exists.
Javier Palacios
Re: Heimdal KDC, Windows XP and local users
Javier Palacios wrote:[color=blue][color=green]
> > Thank you for the link, however LDAP seems superfluous for my purpose.
> > The goal was to maintain the user database in just one place, and
> > Kerberos + LDAP mean two places.[/color][/color]
[color=blue]
> If you choose ldap backed for heimdal-kdc (>=0.7.2) it becomes a single place.[/color]
[color=blue]
> And it is extremely easy to tweak the scap code to just create the
> user account instead of looking up LDAP to check that user actually
> exists.[/color]
Perhaps it is easy, but anyway it would mean installing third party
software to Windows workstations, which I was trying to avoid.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet [url]http://vas.tomsk.ru/[/url]
Re: Heimdal KDC, Windows XP and local users
> > And it is extremely easy to tweak the scap code to just create the[color=blue][color=green]
> > user account instead of looking up LDAP to check that user actually
> > exists.[/color]
>
> Perhaps it is easy, but anyway it would mean installing third party
> software to Windows workstations, which I was trying to avoid.[/color]
And you really hope that Microsoft wil support non-microsoft KDC out of the box?
Even the ksetup.exe is not on the base bundle but in support toos.
Javier Palacios
Re: Heimdal KDC, Windows XP and local users
Javier Palacios wrote:[color=blue][color=green][color=darkred]
> > > And it is extremely easy to tweak the scap code to just create the
> > > user account instead of looking up LDAP to check that user actually
> > > exists.[/color]
> >
> > Perhaps it is easy, but anyway it would mean installing third party
> > software to Windows workstations, which I was trying to avoid.[/color][/color]
[color=blue]
> And you really hope that Microsoft wil support non-microsoft KDC out
> of the box?[/color]
They already support it. The only issue is local user/profile creation.
BTW what about Unix? Is there a way to automatically create a local
user if a Kerberos principal successfully authenticates on the box?
Oh well, it is not very useful after all, who in the world needs a
Unix user with the same name and different uid on each box...
[color=blue]
> Even the ksetup.exe is not on the base bundle but in support toos.[/color]
This seems reasonable. There are a lot of useful utilities in support
tools, however those utilities are not meant for an average user.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet [url]http://vas.tomsk.ru/[/url]
Re: Heimdal KDC, Windows XP and local users
> BTW what about Unix? Is there a way to automatically create a local[color=blue]
> user if a Kerberos principal successfully authenticates on the box?
> Oh well, it is not very useful after all, who in the world needs a
> Unix user with the same name and different uid on each box...[/color]
You know about NIS, so you know that you may have he same uid in
different boxes. And youger people who never heard about NIS do know
about nss-ldap. And pam_mkhomedir cares about "local profile"
creation.
Javier Palacios
Re: Heimdal KDC, Windows XP and local users
Javier Palacios wrote:[color=blue][color=green]
> > BTW what about Unix? Is there a way to automatically create a local
> > user if a Kerberos principal successfully authenticates on the box?
> > Oh well, it is not very useful after all, who in the world needs a
> > Unix user with the same name and different uid on each box...[/color][/color]
[color=blue]
> You know about NIS, so you know that you may have he same uid in
> different boxes.[/color]
Sure. But this again means the toil of maintaining two databases: the
NIS map and the KDC database.
[color=blue]
> And youger people who never heard about NIS do know
> about nss-ldap.[/color]
And again, why would we want two databases: LDAP and Kerberos?
[color=blue]
> And pam_mkhomedir cares about "local profile" creation.[/color]
Oh yes, I use it on NIS clients.
It is much better for my purposes than NFS-mounted homes.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet [url]http://vas.tomsk.ru/[/url]
Re: Heimdal KDC, Windows XP and local users
Am Freitag, den 11.01.2008, 17:29 +0000 schrieb Victor Sudakov:[color=blue]
> Javier Palacios wrote:[color=green][color=darkred]
> > > BTW what about Unix? Is there a way to automatically create a local
> > > user if a Kerberos principal successfully authenticates on the box?
> > > Oh well, it is not very useful after all, who in the world needs a
> > > Unix user with the same name and different uid on each box...[/color][/color]
>[color=green]
> > You know about NIS, so you know that you may have he same uid in
> > different boxes.[/color]
>
> Sure. But this again means the toil of maintaining two databases: the
> NIS map and the KDC database.[/color]
I think you will need two databases: one for kerberos credentials and
another one for account information. Kerberos does not tell you about a
user's home directory or shell...
[color=blue][color=green]
> > And youger people who never heard about NIS do know
> > about nss-ldap.[/color]
>
> And again, why would we want two databases: LDAP and Kerberos?
>[color=green]
> > And pam_mkhomedir cares about "local profile" creation.[/color]
>
> Oh yes, I use it on NIS clients.
> It is much better for my purposes than NFS-mounted homes.
>[/color]
--
Volkmar Glauche
Freiburg Brain Imaging
[url]http://fbi.uniklinik-freiburg.de/[/url]
Phone +49(0)761 270-5331
Fax +49(0)761 270-5416
Re: Heimdal KDC, Windows XP and local users
On Jan 14, 2008 12:06 PM, Volkmar Glauche
<volkmar.glauche@uniklinik-freiburg.de> wrote:[color=blue][color=green]
> > Sure. But this again means the toil of maintaining two databases: the
> > NIS map and the KDC database.[/color]
>
> I think you will need two databases: one for kerberos credentials and
> another one for account information. Kerberos does not tell you about a
> user's home directory or shell...[/color]
You don't need two databases. Both heimdal and MIT current versions
allow LDAP as "database" for credentials so you have a single
database. I've not used MIT, but I've been using heimdal-ldap for a
long time without problems.
Maybe you need two interfaces, but just because you cannot set the
password using only LDAP tools (unless you know the internals of the
way passwords are encoded into the kerberos repository).
Javier Palacios
Re: Heimdal KDC, Windows XP and local users
Am Montag, den 14.01.2008, 12:27 +0100 schrieb Javier Palacios:[color=blue]
> On Jan 14, 2008 12:06 PM, Volkmar Glauche
> <volkmar.glauche@uniklinik-freiburg.de> wrote:[color=green][color=darkred]
> > > Sure. But this again means the toil of maintaining two databases: the
> > > NIS map and the KDC database.[/color]
> >
> > I think you will need two databases: one for kerberos credentials and
> > another one for account information. Kerberos does not tell you about a
> > user's home directory or shell...[/color]
>
> You don't need two databases. Both heimdal and MIT current versions
> allow LDAP as "database" for credentials so you have a single
> database. I've not used MIT, but I've been using heimdal-ldap for a
> long time without problems.[/color]
This is true. I'm doing the same with heimdal as you. But if there are
security concerns about storing kerberos credentials in LDAP, then you
need 2 databases. A KDC doesn't store other things than credentials in
its native database.
[color=blue]
> Maybe you need two interfaces, but just because you cannot set the
> password using only LDAP tools (unless you know the internals of the
> way passwords are encoded into the kerberos repository).
>
> Javier Palacios[/color]
--
Volkmar Glauche
Freiburg Brain Imaging
[url]http://fbi.uniklinik-freiburg.de/[/url]
Phone +49(0)761 270-5331
Fax +49(0)761 270-5416
Re: Heimdal KDC, Windows XP and local users
> > You don't need two databases. Both heimdal and MIT current versions[color=blue][color=green]
> > allow LDAP as "database" for credentials so you have a single
> > database. I've not used MIT, but I've been using heimdal-ldap for a
> > long time without problems.[/color]
>
> This is true. I'm doing the same with heimdal as you. But if there are
> security concerns about storing kerberos credentials in LDAP, then you
> need 2 databases. A KDC doesn't store other things than credentials in
> its native database.[/color]
Having encrypted keys (mkey_file) and strict ACL for ldap access
covers online and backup security. And as root can read everything
that's enough for me.
Javier Palacios
