You want to integrate your existing MIT Kerberos infrastructure with Active Directory.
Integrating MIT Kerberos with Active Directory typically means setting up a trust between an Active Directory domain and your MIT Kerberos realm. Creating a trust between a domain and realm is the first step toward Kerberos interoperability. It will allow users to access resources in either the AD domain or Kerberos realm. Here are the steps to create the trust:
Create a trust to the Kerberos realm on a domain controller:
> netdom trust AD.RALLENCORP.COM /Domain:MIT.RALLENCORP.COM /Add /Realm /[RETURN] PasswordT:"Password"
Make the trust transitive (if necessary):
> netdom trust AD.RALLENCORP.COM /Domain:MIT.RALLENCORP.COM /Transitive:yes
Add a KDC for the Kerberos realm on the domain controller(s):
> ksetup /addkdc MIT.RALLENCORP.COM kdc01.mit.rallencorp.com
Add the AD domain principal to the Kerberos realm (on the Unix host):
kadmin: addprinc -e des-cbc-crc:normal krbtgt/ad.rallencorp.com
What I’ve shown here is just the tip of the iceberg. You may need to configure service principals, create account mappings, create host principals, and tweak the krb5.conf configuration file on your MIT KDCs to accomplish full integration in your environment. Providing details on how to do all of that is beyond the scope of this book, but a great resource on Kerberos is O’Reilly’s Kerberos: The Definitive Guide, which covers all the ins and outs of the Kerberos ...