Heimdal KDC, Windows XP and local users - Kerberos

This is a discussion on Heimdal KDC, Windows XP and local users - Kerberos ; Colleagues, I have configured Windows XP to use a Heimdal KDC for user authentication. All existing Windows users can authenticate against the KDC, user mapping is "ksetup /mapuser * *". However, Windows does not create a new local user with ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: Heimdal KDC, Windows XP and local users

  1. Heimdal KDC, Windows XP and local users

    Colleagues,

    I have configured Windows XP to use a Heimdal KDC for user authentication.
    All existing Windows users can authenticate against the KDC, user
    mapping is "ksetup /mapuser * *".

    However, Windows does not create a new local user with the same name
    as the Kerberos princical I try to authenticate as.

    Can this be helped? I want to create a new user in the Kerberos
    database only, and this user's profile on the Windows machine should
    be created automatically.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  2. Re: Heimdal KDC, Windows XP and local users

    Victor Sudakov wrote:
    > I have configured Windows XP to use a Heimdal KDC for user
    > authentication. All existing Windows users can authenticate against
    > the KDC, user
    > mapping is "ksetup /mapuser * *".
    >
    > However, Windows does not create a new local user with the same name
    > as the Kerberos princical I try to authenticate as.


    No, Windows does not, nor should it. You mapped all principals to a
    single user account. If you want seperate accounts, you'll need to
    actually create the accounts ahead of time and map the principal to the
    individual accounts.

    > Can this be helped? I want to create a new user in the Kerberos
    > database only, and this user's profile on the Windows machine should
    > be created automatically.


    You may be able to get pGina do what you want: http://www.pgina.org/

    <


  3. Re: Heimdal KDC, Windows XP and local users

    > I have configured Windows XP to use a Heimdal KDC for user authentication.
    > All existing Windows users can authenticate against the KDC, user
    > mapping is "ksetup /mapuser * *".
    >
    > However, Windows does not create a new local user with the same name
    > as the Kerberos princical I try to authenticate as.


    If you have users defined on LDAP, maybe the s+c Authentication
    Package (http://sourceforge.net/projects/sc-ap/) might help you. And
    if your valid users are not available anywhere, it is not hard to
    modify to drop the LDAP lookups and simply create a local account.

    Javier Palacios

  4. Re: Heimdal KDC, Windows XP and local users

    Christopher D. Clausen wrote:
    > > I have configured Windows XP to use a Heimdal KDC for user
    > > authentication. All existing Windows users can authenticate against
    > > the KDC, user
    > > mapping is "ksetup /mapuser * *".
    > >
    > > However, Windows does not create a new local user with the same name
    > > as the Kerberos principal I try to authenticate as.


    > No, Windows does not, nor should it.


    It is a pity.

    Windows does it quite well with a Windows domain and with pGina,
    so I expected the same behavior for a Kerberos realm. Perhaps there is
    some key in the registry to enable creation of local users/profiles
    for Kerberos principals?

    > You mapped all principals to a
    > single user account.


    Actually not.

    > If you want seperate accounts, you'll need to
    > actually create the accounts ahead of time and map the principal to the
    > individual accounts.


    In fact, the "* *" mapping works fine for any local account if it
    a) has the same name as the corresponding Kerberos principal and
    b) has been created ahead of time.

    The only problem is creation of local accounts/profiles on the fly.

    > > Can this be helped? I want to create a new user in the Kerberos
    > > database only, and this user's profile on the Windows machine should
    > > be created automatically.


    > You may be able to get pGina do what you want: http://www.pgina.org/


    I know about pGina and have tried it. However my goal was to avoid
    installing third party software on Windows workstations, and at the
    same time to avoid the excessive complexity of Active Directory.
    Kerberos at first seemed to be a good compromise.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  5. Re: Heimdal KDC, Windows XP and local users

    Javier Palacios wrote:
    > > I have configured Windows XP to use a Heimdal KDC for user authentication.
    > > All existing Windows users can authenticate against the KDC, user
    > > mapping is "ksetup /mapuser * *".
    > >
    > > However, Windows does not create a new local user with the same name
    > > as the Kerberos princical I try to authenticate as.


    > If you have users defined on LDAP, maybe the s+c Authentication
    > Package (http://sourceforge.net/projects/sc-ap/) might help you. And
    > if your valid users are not available anywhere, it is not hard to
    > modify to drop the LDAP lookups and simply create a local account.


    Thank you for the link, however LDAP seems superfluous for my purpose.
    The goal was to maintain the user database in just one place, and
    Kerberos + LDAP mean two places.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  6. Re: Heimdal KDC, Windows XP and local users

    > Thank you for the link, however LDAP seems superfluous for my purpose.
    > The goal was to maintain the user database in just one place, and
    > Kerberos + LDAP mean two places.


    If you choose ldap backed for heimdal-kdc (>=0.7.2) it becomes a single place.

    And it is extremely easy to tweak the scap code to just create the
    user account instead of looking up LDAP to check that user actually
    exists.

    Javier Palacios

  7. Re: Heimdal KDC, Windows XP and local users

    Javier Palacios wrote:
    > > Thank you for the link, however LDAP seems superfluous for my purpose.
    > > The goal was to maintain the user database in just one place, and
    > > Kerberos + LDAP mean two places.


    > If you choose ldap backed for heimdal-kdc (>=0.7.2) it becomes a single place.


    > And it is extremely easy to tweak the scap code to just create the
    > user account instead of looking up LDAP to check that user actually
    > exists.


    Perhaps it is easy, but anyway it would mean installing third party
    software to Windows workstations, which I was trying to avoid.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  8. Re: Heimdal KDC, Windows XP and local users

    > > And it is extremely easy to tweak the scap code to just create the
    > > user account instead of looking up LDAP to check that user actually
    > > exists.

    >
    > Perhaps it is easy, but anyway it would mean installing third party
    > software to Windows workstations, which I was trying to avoid.


    And you really hope that Microsoft wil support non-microsoft KDC out of the box?
    Even the ksetup.exe is not on the base bundle but in support toos.

    Javier Palacios

  9. Re: Heimdal KDC, Windows XP and local users

    Javier Palacios wrote:
    > > > And it is extremely easy to tweak the scap code to just create the
    > > > user account instead of looking up LDAP to check that user actually
    > > > exists.

    > >
    > > Perhaps it is easy, but anyway it would mean installing third party
    > > software to Windows workstations, which I was trying to avoid.


    > And you really hope that Microsoft wil support non-microsoft KDC out
    > of the box?


    They already support it. The only issue is local user/profile creation.

    BTW what about Unix? Is there a way to automatically create a local
    user if a Kerberos principal successfully authenticates on the box?
    Oh well, it is not very useful after all, who in the world needs a
    Unix user with the same name and different uid on each box...

    > Even the ksetup.exe is not on the base bundle but in support toos.


    This seems reasonable. There are a lot of useful utilities in support
    tools, however those utilities are not meant for an average user.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  10. Re: Heimdal KDC, Windows XP and local users

    > BTW what about Unix? Is there a way to automatically create a local
    > user if a Kerberos principal successfully authenticates on the box?
    > Oh well, it is not very useful after all, who in the world needs a
    > Unix user with the same name and different uid on each box...


    You know about NIS, so you know that you may have he same uid in
    different boxes. And youger people who never heard about NIS do know
    about nss-ldap. And pam_mkhomedir cares about "local profile"
    creation.

    Javier Palacios

  11. Re: Heimdal KDC, Windows XP and local users

    Javier Palacios wrote:
    > > BTW what about Unix? Is there a way to automatically create a local
    > > user if a Kerberos principal successfully authenticates on the box?
    > > Oh well, it is not very useful after all, who in the world needs a
    > > Unix user with the same name and different uid on each box...


    > You know about NIS, so you know that you may have he same uid in
    > different boxes.


    Sure. But this again means the toil of maintaining two databases: the
    NIS map and the KDC database.

    > And youger people who never heard about NIS do know
    > about nss-ldap.


    And again, why would we want two databases: LDAP and Kerberos?

    > And pam_mkhomedir cares about "local profile" creation.


    Oh yes, I use it on NIS clients.
    It is much better for my purposes than NFS-mounted homes.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  12. Re: Heimdal KDC, Windows XP and local users


    Am Freitag, den 11.01.2008, 17:29 +0000 schrieb Victor Sudakov:
    > Javier Palacios wrote:
    > > > BTW what about Unix? Is there a way to automatically create a local
    > > > user if a Kerberos principal successfully authenticates on the box?
    > > > Oh well, it is not very useful after all, who in the world needs a
    > > > Unix user with the same name and different uid on each box...

    >
    > > You know about NIS, so you know that you may have he same uid in
    > > different boxes.

    >
    > Sure. But this again means the toil of maintaining two databases: the
    > NIS map and the KDC database.


    I think you will need two databases: one for kerberos credentials and
    another one for account information. Kerberos does not tell you about a
    user's home directory or shell...

    > > And youger people who never heard about NIS do know
    > > about nss-ldap.

    >
    > And again, why would we want two databases: LDAP and Kerberos?
    >
    > > And pam_mkhomedir cares about "local profile" creation.

    >
    > Oh yes, I use it on NIS clients.
    > It is much better for my purposes than NFS-mounted homes.
    >

    --
    Volkmar Glauche

    Freiburg Brain Imaging
    http://fbi.uniklinik-freiburg.de/
    Phone +49(0)761 270-5331
    Fax +49(0)761 270-5416


  13. Re: Heimdal KDC, Windows XP and local users

    On Jan 14, 2008 12:06 PM, Volkmar Glauche
    wrote:
    > > Sure. But this again means the toil of maintaining two databases: the
    > > NIS map and the KDC database.

    >
    > I think you will need two databases: one for kerberos credentials and
    > another one for account information. Kerberos does not tell you about a
    > user's home directory or shell...


    You don't need two databases. Both heimdal and MIT current versions
    allow LDAP as "database" for credentials so you have a single
    database. I've not used MIT, but I've been using heimdal-ldap for a
    long time without problems.
    Maybe you need two interfaces, but just because you cannot set the
    password using only LDAP tools (unless you know the internals of the
    way passwords are encoded into the kerberos repository).

    Javier Palacios

  14. Re: Heimdal KDC, Windows XP and local users


    Am Montag, den 14.01.2008, 12:27 +0100 schrieb Javier Palacios:
    > On Jan 14, 2008 12:06 PM, Volkmar Glauche
    > wrote:
    > > > Sure. But this again means the toil of maintaining two databases: the
    > > > NIS map and the KDC database.

    > >
    > > I think you will need two databases: one for kerberos credentials and
    > > another one for account information. Kerberos does not tell you about a
    > > user's home directory or shell...

    >
    > You don't need two databases. Both heimdal and MIT current versions
    > allow LDAP as "database" for credentials so you have a single
    > database. I've not used MIT, but I've been using heimdal-ldap for a
    > long time without problems.


    This is true. I'm doing the same with heimdal as you. But if there are
    security concerns about storing kerberos credentials in LDAP, then you
    need 2 databases. A KDC doesn't store other things than credentials in
    its native database.

    > Maybe you need two interfaces, but just because you cannot set the
    > password using only LDAP tools (unless you know the internals of the
    > way passwords are encoded into the kerberos repository).
    >
    > Javier Palacios

    --
    Volkmar Glauche

    Freiburg Brain Imaging
    http://fbi.uniklinik-freiburg.de/
    Phone +49(0)761 270-5331
    Fax +49(0)761 270-5416


  15. Re: Heimdal KDC, Windows XP and local users

    > > You don't need two databases. Both heimdal and MIT current versions
    > > allow LDAP as "database" for credentials so you have a single
    > > database. I've not used MIT, but I've been using heimdal-ldap for a
    > > long time without problems.

    >
    > This is true. I'm doing the same with heimdal as you. But if there are
    > security concerns about storing kerberos credentials in LDAP, then you
    > need 2 databases. A KDC doesn't store other things than credentials in
    > its native database.


    Having encrypted keys (mkey_file) and strict ACL for ldap access
    covers online and backup security. And as root can read everything
    that's enough for me.

    Javier Palacios

+ Reply to Thread