Authentication to realms of a tree
Marigomen, Ted {Info~Palo Alto}
TED.MARIGOMEN at ROCHE.COM
Thu Apr 10 13:36:31 EDT 2003
> -----Original Message-----
> From: hwntw
> Sent: Saturday, April 05, 2003 5:43 AM
> To: kerberos at MIT.EDU
> Subject: Re: Authentication to realms of a tree
>
>
> ("Marigomen, Ted {Info~Palo Alto}")
> wrote in message
>
> > Hi all,
> >
> > I have setup kerberos clients of various unix flavors (RH
> linux 7.3,
> > Solaris 8, HPUX 11) to authenticate to our Active
> Directory. However,
> > the clients can only authenticate (and kpasswd) to the
> realm specified
> > in the default_realm, not to all the realms of the tree
> default_realm
> > is a part of.
> >
> > First of all, does kerberos have this capability? If so, what am I
> > missing?
> >
> > Our tree consists of various domains (i.e. DOM1.COMP.COM,
> > DOM2.COMP.COM,
> > DOM3.COMP.COM) which are part of COMP.COM. There are DC's
> in all of the
> > various domains but not in COMP.COM. If default_realm is set to
> > DOM1.COMP.COM, only users of that domain can authenticate.
> Conversely,
> > if default_realm is set to DOM2.COMP.COM, only users of
> that domain can
> > authenticate.
> >
> This begs the questions- how did you get the whole thing to
> work in the first place? What did you do at the AD end? Did
> you use SFU? Or AD4unix? I am very keen to know how you did it. Hwntw
I wish I knew. Because of division of labor, our AD, the DC's, the
whole tree is maintained and strictly governed by another group, near
the headquarters in another continent. I just followed Microsoft's
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
s.asp and tested it and authentication worked. Then I read lots of list
archives and SEAM and MIT Kerberos docs to understand how it worked.
> > I need only authentication for now. And, since our users travel,
> > users of a certain domain may use a computer of a different domain.
> >
> > RH Linux 7.3 pam_krb5-1.55-1
> > HPUX 11 PAM Kerberos v1.10
> > Solaris 8 SEAM 1.0.1
> >
> >
> > /etc/krb5.conf:
> >
> > [libdefaults]
> > default_realm = DOM1.COMP.COM
> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> >
> > [realms]
> > DOM1.COMP.COM = {
> > kdc = kdcdom1.dom1.comp.com
> > kpasswd_protocol = SET_CHANGE
> > kpasswd_server = kdcdom1.dom1.comp.com
> > admin_server = kdcdom1.dom1.comp.com
> > }
> > DOM2.COMP.COM = {
> > kdc = kdcdom2.dom2.comp.com
> > kpasswd_protocol = SET_CHANGE
> > kpasswd_server = kdcdom2.dom2.comp.com
> > admin_server = kdcdom2.dom2.comp.com
> > }
> > [domain_realm]
> > .dom1.comp.com = DOM1.COMP.COM
> > dom1.comp.com = DOM1.COMP.COM
> > .dom2.comp.com = DOM2.COMP.COM
> > dom2.comp.com = DOM2.COMP.COM
> >
> > [logging]
> > default = FILE:/var/krb5/kdc.log
> > kdc = FILE:/var/krb5/kdc.log
> > kdc_rotate = {
> > period = 1d
> > versions = 10
> > }
> >
> > [appdefaults]
> > kinit = {
> > renewable = true
> > forwardable= true
> > }
> > rlogin = {
> > forwardable= true
> > }
> > rsh = {
> > forwardable= true
> > }
> > telnet = {
> > autologin = true
> > forwardable= true
> > }
> >
> >
> > Thanks
> > Ted
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list