Re: Hardening NIS+

From: Charles Clancy (security@xauth.net)
Date: 08/22/02


Date: Wed, 21 Aug 2002 19:24:27 -0500 (CDT)
From: Charles Clancy <security@xauth.net>
To: Reg Quinton <reggers@ist.uwaterloo.ca>


> > IMHO, the best combination for ease of administration and security is to
> > use Kerberos with NIS+.
>
> I am curious .... Has anyone configured a Solaris machine to use Kerberos
> authentication against a Microsoft Active Directory?
>
> If I'm so lucky to find someone who has done so... what's required?

There have been many threads on the OpenAFS mailing lists about making AFS
and ADS play together via k5 authentication, and several people have
reported their successes. Without the AFS integration, things are much
easier -- all you should have to do is configure your /etc/krb5/krb5.conf
under Solaris. In theory, you could then use ADS LDAP for NSS info, and
have complete ADS authentication under Solaris. (I'm not aware of anyone
who's done that part too.) Additionally, setting up cross-realm trusts
between MIT krb5 servers and MS ADS servers is possible.

Check out Microsoft's Kerberos Interoperability Guide:
http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerbint.asp
and Kerberos Authentication white paper:
http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]



Relevant Pages

  • RPC and Kerberos v5 ?
    ... I'm currently working on the design of an authorisation system. ... I need to use Kerberos v5 authentication. ... Or should I use sun-rpc with this gss stuf as defined in the rpc header files on solaris? ...
    (comp.unix.programmer)
  • SUMMARY: Solaris ssh =?utf-8?b?cGFtX2tyYg==?=
    ... I am attempting to get our Solaris 9 and 10 servers to use campus kdc for ssh ... authentication. ... I am almost ready to give up on Sun's pam_krb and kerberos - (I've compiled ...
    (comp.protocols.kerberos)
  • SSH and Kerberos in Solaris 9
    ... I have kerberos working on a Solaris 9 box in the sense that if I type: ... # Support for Kerberos V5 authentication ... login: henrik ...
    (comp.protocols.kerberos)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... until a user logon event. ... the Netdiag utility will show the Kerberos error in this scenario ... On these machines I ... me a plausible starting point to solve my Kerberos authentication problem. ...
    (microsoft.public.windows.server.security)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... I just wanted to let you know there is a known bug in netdiag that reports ... >> mean that kerberos authentication is not being used. ... Three machines are workstations and three are ...
    (microsoft.public.windows.server.security)