From 9facbd35e6301bb46dfaafa1460c54ba09ed2cda Mon Sep 17 00:00:00 2001 From: Caitlyn Marko Date: Tue, 7 Nov 2017 09:46:04 -0500 Subject: [PATCH 1/1] Move file to admin directory --- admin/ActiveDirectory.mdwn | 21 +++++++++++++++++++++ devel/ActiveDirectory.mdwn | 21 --------------------- 2 files changed, 21 insertions(+), 21 deletions(-) create mode 100644 admin/ActiveDirectory.mdwn delete mode 100644 devel/ActiveDirectory.mdwn diff --git a/admin/ActiveDirectory.mdwn b/admin/ActiveDirectory.mdwn new file mode 100644 index 0000000..447b094 --- /dev/null +++ b/admin/ActiveDirectory.mdwn @@ -0,0 +1,21 @@ +As of Windows NT version 5.0, normally known by the name Windows 2000, the domain controller (aka [[ActiveDirectory]]) uses [[KerberosV]] for authentication. + +The resulting TGT tickets use a proprietary authorization data format. There was a big flamefest on this issue, though [[KerberosDCE]] also uses the V5 ticket's authorization data field to store group membership data, the details of Microsoft's format was murky. It is now documented by a paper which essentially requires you to agree to never use the information if you read it, making it similarly useless. + +Nathan Neulinger has used Windows 2000 to provide authentication for AFS. See his [message](http://lists.openafs.org/pipermail/openafs-info/2002-January/002893.html) to [[OpenAFSInfo]] for details. + +Douglas Engert posted some [details](http://lists.openafs.org/pipermail/openafs-info/2002-March/003836.html) on doing this including a pointer to gsiklog which uses GSSAPI to get an K4/AFS token. + +More from Douglas in the same [thread](http://lists.openafs.org/pipermail/openafs-info/2002-March/003904.html). + +> > _I suppose this means krb524d must share knowledge of the key used to encrypt the K5 token. How, in practice, does one share such a key with active directory?_ +> +> You get a key from the [[W2K]] much like you get a key for a host. Its just for afs/cell@REALM. The MS documents talk about how to do thisfor a host. The process of adding the afs/cell@realm can output a keytab file, or it can print the key on the screen. +> +> You can then use the MIT ktutil addent -key to add this to a keytab file. + +-- Ted Anderson - 23 Jan 2002
-- Derrick Brashear - 24 Jan 2002 added the information about the paper.
-- Ted Anderson - 18,22 Mar 2002 added Engert pointer.
+ +---- + +See [[KerberosV]], [[KerberosDCE]], [[WindowsRoamingProfiles]]. diff --git a/devel/ActiveDirectory.mdwn b/devel/ActiveDirectory.mdwn deleted file mode 100644 index 447b094..0000000 --- a/devel/ActiveDirectory.mdwn +++ /dev/null @@ -1,21 +0,0 @@ -As of Windows NT version 5.0, normally known by the name Windows 2000, the domain controller (aka [[ActiveDirectory]]) uses [[KerberosV]] for authentication. - -The resulting TGT tickets use a proprietary authorization data format. There was a big flamefest on this issue, though [[KerberosDCE]] also uses the V5 ticket's authorization data field to store group membership data, the details of Microsoft's format was murky. It is now documented by a paper which essentially requires you to agree to never use the information if you read it, making it similarly useless. - -Nathan Neulinger has used Windows 2000 to provide authentication for AFS. See his [message](http://lists.openafs.org/pipermail/openafs-info/2002-January/002893.html) to [[OpenAFSInfo]] for details. - -Douglas Engert posted some [details](http://lists.openafs.org/pipermail/openafs-info/2002-March/003836.html) on doing this including a pointer to gsiklog which uses GSSAPI to get an K4/AFS token. - -More from Douglas in the same [thread](http://lists.openafs.org/pipermail/openafs-info/2002-March/003904.html). - -> > _I suppose this means krb524d must share knowledge of the key used to encrypt the K5 token. How, in practice, does one share such a key with active directory?_ -> -> You get a key from the [[W2K]] much like you get a key for a host. Its just for afs/cell@REALM. The MS documents talk about how to do thisfor a host. The process of adding the afs/cell@realm can output a keytab file, or it can print the key on the screen. -> -> You can then use the MIT ktutil addent -key to add this to a keytab file. - --- Ted Anderson - 23 Jan 2002
-- Derrick Brashear - 24 Jan 2002 added the information about the paper.
-- Ted Anderson - 18,22 Mar 2002 added Engert pointer.
- ----- - -See [[KerberosV]], [[KerberosDCE]], [[WindowsRoamingProfiles]]. -- 1.9.4