1

I have a well working setup using OpenLDAP for user information and Kerberos for authentication, but we need to have windows integration too, and for this we have decided that moving into Active Directory could be a good idea. Moving account information from OpenLDAP is quite trivial and easily done, but I have a problem: how to move passwords/auth information from MIT Kerberos to AD?

I understand some kind of delegation between them is possible, but this wouldn't solve my problem? Or can I do AD authentication against a MIT Kerberos KDC? Passwords are stored in hashes in Kerberos, so I cannot move them cleartext. I wonder if the hashes would be compatible between MIT and AD, since I can enter the password into AD in crypted form, too.

Does anyone have experience in this? What would be your suggestion aside from just requiring all my users to change passwords and have one major hassle when all authentication switches from one place to the other without any co-existance.

tstm
  • 313
  • 1
  • 4
  • 13

3 Answers3

2

But I have a problem: how to move passwords/auth information from MIT Kerberos to AD?

You don't. While kerberos hashes have to be the same between systems, because they're used as encryption and decryption keys, none of the public APIs allow setting them directly. Given that AD requires it be given plaintext passwords, and your LDAP/KRB5 install is dutifully discarding that, you need to either wait for a password change or break the cardinal rule and keep passwords around in reversible form at least temporarily, assuming you've got something middleware for sending password changes to OpenLDAP/Kerberos you can instrument.

I understand some kind of delegation between them is possible, but this wouldn't solve my problem? Or can I do AD authentication against a MIT Kerberos KDC?

This is the approach we're considering at the moment. Authenticating to Windows using Kerberos This is known as a cross-realm trust. A few important things to note. Finding an encryption type common to all realms is critical, and will usually depend on AD. The version of AD you're using typically dictates the crypt of the day. The best guide to setting this up I've found actually comes from Microsoft: Kerberos Interoperability Step-by-Step Guide for Windows Server 2003. The key problem I ran into was telling it which encryption type to use for the cross-realm trust, which other guides written a long time ago neglected to mention.

jldugger
  • 14,122
  • 19
  • 73
  • 129
0

It would be a good idea to look at using a solution like the one in the link below:

http://www.centrify.com/solutions/unix-linux-identity-management.asp

As far as migrating you could use a system like PCNS for password sync'ing as you are moving. You would run both systems in parallel for a while and have several "everyone reset their password" days to make sure they are in sync before the move. PCNS is a FAR better solution than Kerberos interop for what you are doing.

PCNS (Password Change Notification Service) runs on a domain controller and forwards passwords to a "target" that then sets the password. The following link explains how to do it.

http://technet.microsoft.com/en-us/library/bb463208.aspx

If you are building a new AD forest look into security GPO settings BEFORE you build it. That way you can start as secure as possible...I'm talking about NTLM versions, ldap signing, etc...

Joshua Toon
  • 91
  • 1
  • 6
0

Samba4 and freeipa can allow windows workstations to authenticate. Have you considered one of those.

rjt
  • 568
  • 5
  • 25