Windows AD and MIT KDC Cross-Realm Trust
Digant Kasundra
digant at uta.edu
Mon Feb 16 17:41:15 EST 2004
> That is the only way to do it. There is no term called
> "pass-through" authentication within Kerberos. The
> authentication between the MIT and Microsoft realms are based
> on cross-realm trusts. This is exactly what is described on the page:
I guess I am using the phrase "pass-through" authentication as it is
referenced below:
http://acd.ucar.edu/~fredrick/linux/kerberos/testbed.html
(e.g. a workstation on a domain authning against Krb and authzing against AD
as opposed to a standalone workstation doing the same thing).
Sorry for my misunderstandings.
That being the case, when a user tries to login using bwinkle at kerb.uta.edu,
I do see a request hit the KDC but the user still does not get logged in.
According to the logs, I see an AS_REQ "bwinkle at KERB.UTA.EDU for
krbtgt/KERB.UTA.EDU at KERB.UTA.EDU". In my principles on the KDC machine
(montyburns), I have bwinkle at KERB.UTA.EDU, krbtgt/KERB.UTA.EDU at KERB.UTA.EDU,
krbtgt/KERB.UTA.EDU at UTA.EDU and krbtgt/UTA.EDU at KERB.UTA.EDU (as well as the
kadmin ones that are created at install).
What else should I look at?
More information about the Kerberos
mailing list