[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Migrate from AD

To: "Mark H. Wood" <mwood@IUPUI.Edu>
Subject: Re: Migrate from AD
From: Karsten Künne <kuenne@rentec.com>
Date: Thu, 28 Mar 2002 09:41:27 -0500
Cc: <OpenLdap-Software@OpenLDAP.com>
In-reply-to: <Pine.LNX.4.33.0203280818310.31832-100000@mhw.ULib.IUPUI.Edu>
Organization: Renaissance Technologies
References: <Pine.LNX.4.33.0203280818310.31832-100000@mhw.ULib.IUPUI.Edu>

On Thursday 28 March 2002 08:49, Mark H. Wood wrote:
| Do you intend to replace *all* of your Windows hosts with Linux, or to add
| Linux hosts to the mix?
|
| If you only want to add Linux hosts, it will be much easier to leave the
| AD DCs in place.  Linux-based LDAP tools should be able to exchange
| information with AD.  For authentication, you'll need to install Kerberos
| client code on the Linux hosts, because that's what AD uses for
| authentication.
|
| I don't believe that anyone has ever made a fully-functional replacement
| for an AD server, because the ADS domain security model uses a proprietary
| TDATA attached to the Kerberos principal record to connect the NT security
| model to the Kerberos model, and they won't reveal the details of that
| TDATA's format.  I suppose it might be possible to extract the necessary
| data from a working AD server and stuff it into another Kerberos KDC
| without knowing how the data were created, but I've not heard of anyone
| doing it.*  Without this, Windows hosts will not be able to use domain
| accounts.
|

I know it's offtopic but this is not entirely true anymore. MS revealed the 
structure of the TDATA and you're allowed to implement it, see:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnkerb/html/MSDN_PAC.asp

Somebody is already working on a implementation for Heimdal AFAIR. And you 
can also setup cross-realm authentication between Kerberos and Win2000 (tried 
it myself, works fine).

| If you want to dismantle your AD tree and replace it with an all-Linux
| network, then the job is both easier and more difficult.  Easier because
| you don't have to figure out how to work with AD's quirks, but harder
| because there may be no way to transfer the passwords.  (You'd have to
| extract the password hashes from an AD DC and stuff them into your new
| KDC, just as in the previous paragraph.)
|
| Anyway, the passwords are in the Kerberos part, not the LDAP part, so you
| need to be asking questions in the Kerberos newsgroup.
|
| -------------------
| * Hmmm, I wonder how hard it would be to slave an MIT Kerberos KDC to an
|   ADS KDC?  The MIT host would need a domain computer account, of course.
|   Once the two are synchronized, the MIT KDC should have the PAC TDATAs in
|   its store, and one might be able to remove the ADS DCs.

-- 
Karsten.

"Things should be made as simple as possible, but not any simpler."
  -Albert Einstein

References:
- Re: Migrate from AD
  - From: "Mark H. Wood" <mwood@IUPUI.Edu>

Prev by Date: RE: LDAP tools
Next by Date: RE: LDAP tools
Index(es):
- Chronological
- Thread