[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Migrate from AD

Do you intend to replace *all* of your Windows hosts with Linux, or to add
Linux hosts to the mix?

If you only want to add Linux hosts, it will be much easier to leave the
AD DCs in place.  Linux-based LDAP tools should be able to exchange
information with AD.  For authentication, you'll need to install Kerberos
client code on the Linux hosts, because that's what AD uses for

I don't believe that anyone has ever made a fully-functional replacement
for an AD server, because the ADS domain security model uses a proprietary
TDATA attached to the Kerberos principal record to connect the NT security
model to the Kerberos model, and they won't reveal the details of that
TDATA's format.  I suppose it might be possible to extract the necessary
data from a working AD server and stuff it into another Kerberos KDC
without knowing how the data were created, but I've not heard of anyone
doing it.*  Without this, Windows hosts will not be able to use domain

If you want to dismantle your AD tree and replace it with an all-Linux
network, then the job is both easier and more difficult.  Easier because
you don't have to figure out how to work with AD's quirks, but harder
because there may be no way to transfer the passwords.  (You'd have to
extract the password hashes from an AD DC and stuff them into your new
KDC, just as in the previous paragraph.)

Anyway, the passwords are in the Kerberos part, not the LDAP part, so you
need to be asking questions in the Kerberos newsgroup.

* Hmmm, I wonder how hard it would be to slave an MIT Kerberos KDC to an
  ADS KDC?  The MIT host would need a domain computer account, of course.
  Once the two are synchronized, the MIT KDC should have the PAC TDATAs in
  its store, and one might be able to remove the ADS DCs.

Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".