[gchpaco]

Windows AD is Kerberos based with a gratuitous compatibility breaking change that I can't remember right now. We use Kerberos at work, and the FreeIPA project is Kerberos based. It doesn't really come into its own until you have many, many machines, probably at least fifty, but it isn't bad in the end. I have had many, many problems with FreeIPA but very few are due to it using Kerberos.

[ethomson]

I suspect that I'm going to get out of my depth very quickly here, but I'm not sure what the gratuitous breaking change is that you're speaking of; relatively recent MIT or Heimdal krb5 implementations can interop with Active Directory with no problem that I'm aware of.

Some older implementations were lacking ciphers that Active Directory required. If this is what you're speaking of then I wouldn't classify it as a "breaking change", since cipher negotiation is meant to be - well - negotiated. Its gratuitousness may be more in question, but I'm certain it was for backward compatibility with NT Lan Manager password schemes. (Alas.)

[gchpaco]

From http://www.h5l.org/manual/HEAD/info/heimdal/Authorisation-da...:

  The Windows 2000 KDC also adds extra authorisation data in tickets. It is at this point unclear what triggers it to do this. The format of this data is only available under a “secret” license from Microsoft, which prohibits you implementing it.

This makes/made? it difficult to have a Windows domain authenticate against an existing KDC; you needed to set up an AD server and then set up cross-domain trust relationships, which means you must have a Windows server on your network in order to support Windows AD clients.

[ethomson]

Very interesting. I had a similar setup in a previous life without any issues, but the "it is at this point unclear what triggers it to do this" is ominous indeed, so it's possible I just went down the happy path where this sort of issue doesn't come up.