cross-realm authentication problem
Christopher D. Clausen
cclausen at acm.org
Thu May 28 11:07:52 EDT 2009
Bjoern Tore Sund <bjorn.sund at it.uib.no> wrote:
> Any ideas where I need to look to figure this one out? It looks as if
> the RHEL5 server somehow fails to inform the windows client that it
> needs to get a TGT for UNIX.UIB.NO, but why then does the RHEL4
> server provide this information?
Kerberos works the other way. The CLIENT needs to know what realm the
server is in. The server doesn't really inform the client of its realm.
Windows doesn't have a krb5.conf file for SSPI creds. You probably want
to look into trying to use the netdom.exe trust command (possibly with
/addTLN or AddTLNEX) to add the domain to realm mappings for Windows
clients to use. Your KDC may need to support referrals for this to
work.
What are the URLs / hostnames of the two different web servers? It is
possible that mappings exist for one name and not the other domain?
Or, can you downgrade to the older krb5 libs on your RHEL5 web server to
see if that gets things working?
-----
I'd consider why you have multiple realms in the first place. It would
be much easier to just use Active Directory as one single realm.
<<CDC
More information about the Kerberos
mailing list