I have a well working setup using OpenLDAP for user information and Kerberos for authentication, but we need to have windows integration too, and for this we have decided that moving into Active Directory could be a good idea. Moving account information from OpenLDAP is quite trivial and easily done, but I have a problem: how to move passwords/auth information from MIT Kerberos to AD?
I understand some kind of delegation between them is possible, but this wouldn't solve my problem? Or can I do AD authentication against a MIT Kerberos KDC? Passwords are stored in hashes in Kerberos, so I cannot move them cleartext. I wonder if the hashes would be compatible between MIT and AD, since I can enter the password into AD in crypted form, too.
Does anyone have experience in this? What would be your suggestion aside from just requiring all my users to change passwords and have one major hassle when all authentication switches from one place to the other without any co-existance.
![[IMAGE]](http://img295.imageshack.us/img295/6272/screenshothttpdconfetca.png){kind=link}
![[IMAGE]](http://img208.imageshack.us/img208/623/screenshotaboutconfigmo.png){kind=link}
![[IMAGE]](http://img41.imageshack.us/img41/6048/screenshotbeerendubuntu.png){kind=link}
![[IMAGE OF WIRESHARK CAPTURE]](http://img130.imageshack.us/img130/78/screenshotlocapturingwi.png){kind=link}
![[IMAGE]](http://img188.imageshack.us/img188/6048/screenshotbeerendubuntu.png){kind=link}
![[IMAGE]](http://img513.imageshack.us/img513/6048/screenshotbeerendubuntu.png){kind=link}
![[IMAGE]](http://img80.imageshack.us/img80/4038/screenshotauthenticatio.png){kind=link}
Best Answer
You don't. While kerberos hashes have to be the same between systems, because they're used as encryption and decryption keys, none of the public APIs allow setting them directly. Given that AD requires it be given plaintext passwords, and your LDAP/KRB5 install is dutifully discarding that, you need to either wait for a password change or break the cardinal rule and keep passwords around in reversible form at least temporarily, assuming you've got something middleware for sending password changes to OpenLDAP/Kerberos you can instrument.
This is the approach we're considering at the moment. Authenticating to Windows using Kerberos This is known as a cross-realm trust. A few important things to note. Finding an encryption type common to all realms is critical, and will usually depend on AD. The version of AD you're using typically dictates the crypt of the day. The best guide to setting this up I've found actually comes from Microsoft: Kerberos Interoperability Step-by-Step Guide for Windows Server 2003. The key problem I ran into was telling it which encryption type to use for the cross-realm trust, which other guides written a long time ago neglected to mention.