Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to firstname.lastname@example.org.
On Thu, 19 Sep 2002 10:32:10 +0100, "Jon Rabone" <jon.rabone at criticalblue.com> wrote: >> You'd need an AD version of gserver. It should be possible to do but >the >> code has rotted since I don't have an AD domain to test on any more >and >> nobody seems that interested in it. >> I'm not sure how you'd do it just using the MIT code. I believe it's >> possible but requires a bit of setting up on the NT site. > >Oh. I rather thought that the point of gserver was interoperability. >After all, ntserver and sspi are proprietary, plain password is not on >(nothing on our networks uses plain passwords), and ssh is a hassle. >Gserver was my great hope. > >I'd be willing to test / maintain an ADS version of cvsnt, but I was >hoping that there was a simple "how-to" document on making MIT gserver >work with the CVS server hosted on Win2K. Since there isn't, I will >write one, if I ever get it going... In the meantime if anyone has any >pointers (I've read the MS interoperability white papers) I'd be most >grateful. > The problem I is that AD isn't any kind of 'standard' kerberos, except at the protocol level. For example it doesn't support GSSAPI (it supports the wire protocol but not the API), so you can't compile :gserver: directly onto it (which is why we use MIT for the client), It doesn't support 'kinit' so you can't login to a"active remote KDC, etc. The server interface is also completely different and although I managed to get it to work once it kept breaking so I abandoned it - it's not very well documented how to use kerberos directly... MS want you to always use SSPI. What would be really nice (and a useful project for someone) would be a native GSSAPI implematation on top of AD. Then I could compile gserver onto it & it'd stand a chance of working automatically. In theory all the GSSAPI functions should exist in some form in the AD API already. Tony