D
David Carlin
I have a file server on the campus active directory that contains the
home directories for all the users of campus computer lab. I would like
for students to be able to connect to a share and access their files
from their dorm PCs not on the active directory. The complication here
is since their dorm PCs are not bound to the active directory, they are
not using Kerberos for authentication. I'd like to come up with a set
of instructions so they can get a Kerberos ticket and connect to the
share, but I don't have a strong Kerberos background.
I have been able to do this on a mac by setting up an appropriate
/Library/Preferences/edu.mit.kerberos file (just like krb5.conf) and
using the /System/Library/CoreServices/Kerberos application to get a
ticket. Once this happens, the Mac user is able to connect to the share
and see their files. This at least leads me to believe what I want to
accomplish is possible.
Berkeley has a set of instructions for their students to do this. Their
AD also uses Kerberos for authentication:
http://calnetad.berkeley.edu/documentation/interoperability/#item1
It seems to have the students install a .reg file which has the same
effect as running the neccessary ksetup.exe commands. I have tried
using this method to no avail - creating an analogous registry file by
copying those keys from a working machine on the active directory.
The difference in the event logs on the server side between the failed
windows connections and the successful MacOS 10.3 ones are this:
Successful Network Logon:
User Name: djc6
Domain: ADS
Logon ID: (0x0,0x64EC9)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Login Failures all show:
Logon Process: NtLmSsp
Authentication Package: NTLM
So it seems I am missing something fundamental where the windows clients
aren't even trying to use Kerberos for authentication.
Anyone have any ideas?
-David
home directories for all the users of campus computer lab. I would like
for students to be able to connect to a share and access their files
from their dorm PCs not on the active directory. The complication here
is since their dorm PCs are not bound to the active directory, they are
not using Kerberos for authentication. I'd like to come up with a set
of instructions so they can get a Kerberos ticket and connect to the
share, but I don't have a strong Kerberos background.
I have been able to do this on a mac by setting up an appropriate
/Library/Preferences/edu.mit.kerberos file (just like krb5.conf) and
using the /System/Library/CoreServices/Kerberos application to get a
ticket. Once this happens, the Mac user is able to connect to the share
and see their files. This at least leads me to believe what I want to
accomplish is possible.
Berkeley has a set of instructions for their students to do this. Their
AD also uses Kerberos for authentication:
http://calnetad.berkeley.edu/documentation/interoperability/#item1
It seems to have the students install a .reg file which has the same
effect as running the neccessary ksetup.exe commands. I have tried
using this method to no avail - creating an analogous registry file by
copying those keys from a working machine on the active directory.
The difference in the event logs on the server side between the failed
windows connections and the successful MacOS 10.3 ones are this:
Successful Network Logon:
User Name: djc6
Domain: ADS
Logon ID: (0x0,0x64EC9)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Login Failures all show:
Logon Process: NtLmSsp
Authentication Package: NTLM
So it seems I am missing something fundamental where the windows clients
aren't even trying to use Kerberos for authentication.
Anyone have any ideas?
-David