> Ultimately Kerberos is used to authenticated basically everything in a Windows on-prem environment and in a way that is largely transparent to the user. Silent SSO is a very nice feature.
When it works. And when it doesn't work (which is most of the time if you're outside of corporate LAN) you simply can't debug what's happening.
> MIT Kerberos on Linux is not really compatible with Windows Kerberos
It actually is! Long, long time ago I managed to join Windows into a pure Kerberos domain. Everything worked, including things like GSSAPI authentication in Putty or MySQL. It involved some `ksetup.exe` incantations, I think this guide might be still relevant: https://docs.oracle.com/cd/E19316-01/820-3746/gisqf/index.ht...
Of course, there was no group synchronization (because no AD).
That was about 20 years ago. Back then, I was working on helping companies migrate to Linux, and I toyed with an idea of having a background service to periodically sync groups from the Linux SMB server with the local users.
When it works. And when it doesn't work (which is most of the time if you're outside of corporate LAN) you simply can't debug what's happening.
> MIT Kerberos on Linux is not really compatible with Windows Kerberos
It actually is! Long, long time ago I managed to join Windows into a pure Kerberos domain. Everything worked, including things like GSSAPI authentication in Putty or MySQL. It involved some `ksetup.exe` incantations, I think this guide might be still relevant: https://docs.oracle.com/cd/E19316-01/820-3746/gisqf/index.ht...
Of course, there was no group synchronization (because no AD).
That was about 20 years ago. Back then, I was working on helping companies migrate to Linux, and I toyed with an idea of having a background service to periodically sync groups from the Linux SMB server with the local users.