Authentication to realms of a tree

hwntw hwntw at hotmail.com
Sat Apr 5 08:42:44 EST 2003 

TED.MARIGOMEN at ROCHE.COM ("Marigomen, Ted {Info~Palo Alto}") wrote in message news:<6A39BF27EAB27743887E0425BD51196B37FF51 at rplmsem1.nala.roche.com>...

> Hi all,
> 
> I have setup kerberos clients of various unix flavors (RH linux 7.3,
> Solaris 8, HPUX 11) to authenticate to our Active Directory.  However,
> the clients can only authenticate (and kpasswd) to the realm specified
> in the default_realm, not to all the realms of the tree default_realm is
> a part of.
> 
> First of all, does kerberos have this capability?  If so, what am I
> missing?
> 
> Our tree consists of various domains (i.e. DOM1.COMP.COM, DOM2.COMP.COM,
> DOM3.COMP.COM) which are part of COMP.COM.  There are DC's in all of the
> various domains but not in COMP.COM.  If default_realm is set to
> DOM1.COMP.COM, only users of that domain can authenticate.  Conversely,
> if default_realm is set to DOM2.COMP.COM, only users of that domain can
> authenticate.
> 
This begs the questions- how did you get the whole thing to work in
the first place? What did you do at the AD end? Did you use SFU? Or
AD4unix? I am very keen to know how you did it.
Hwntw
> I need only authentication for now.  And,  since our users travel, users
> of a certain domain may use a computer of a different domain.
> 
> 	RH Linux 7.3	pam_krb5-1.55-1
> 	HPUX 11	PAM Kerberos v1.10
> 	Solaris 8	SEAM 1.0.1
> 
> 
> /etc/krb5.conf:
> 
> [libdefaults]
>         default_realm = DOM1.COMP.COM
>         default_tkt_enctypes = des-cbc-md5 des-cbc-crc
>         default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> 
> [realms]
>         DOM1.COMP.COM = {
>                 kdc = kdcdom1.dom1.comp.com
>                 kpasswd_protocol = SET_CHANGE
>                 kpasswd_server = kdcdom1.dom1.comp.com
>                 admin_server = kdcdom1.dom1.comp.com
>         }
>         DOM2.COMP.COM = {
>                 kdc = kdcdom2.dom2.comp.com
>                 kpasswd_protocol = SET_CHANGE
>                 kpasswd_server = kdcdom2.dom2.comp.com
>                 admin_server = kdcdom2.dom2.comp.com
>         }
> [domain_realm]
>         .dom1.comp.com = DOM1.COMP.COM
>         dom1.comp.com = DOM1.COMP.COM
>         .dom2.comp.com = DOM2.COMP.COM
>         dom2.comp.com = DOM2.COMP.COM
> 
> [logging]
>         default = FILE:/var/krb5/kdc.log
>         kdc = FILE:/var/krb5/kdc.log
>         kdc_rotate = {
>                 period = 1d
>                 versions = 10
>         }
> 
> [appdefaults]
>         kinit = {
>                 renewable = true
>                 forwardable= true
>         }
>         rlogin = {
>                 forwardable= true
>         }
>         rsh = {
>                 forwardable= true
>         }
>         telnet = {
>                 autologin = true 
>                 forwardable= true
>         }
> 
> 
> Thanks
> Ted
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list