Authentication to realms of a tree

Marigomen, Ted {Info~Palo Alto} TED.MARIGOMEN at ROCHE.COM
Fri Mar 28 13:03:24 EST 2003


Hi all,

I have setup kerberos clients of various unix flavors (RH linux 7.3,
Solaris 8, HPUX 11) to authenticate to our Active Directory.  However,
the clients can only authenticate (and kpasswd) to the realm specified
in the default_realm, not to all the realms of the tree default_realm is
a part of.

First of all, does kerberos have this capability?  If so, what am I
missing?

Our tree consists of various domains (i.e. DOM1.COMP.COM, DOM2.COMP.COM,
DOM3.COMP.COM) which are part of COMP.COM.  There are DC's in all of the
various domains but not in COMP.COM.  If default_realm is set to
DOM1.COMP.COM, only users of that domain can authenticate.  Conversely,
if default_realm is set to DOM2.COMP.COM, only users of that domain can
authenticate.

I need only authentication for now.  And,  since our users travel, users
of a certain domain may use a computer of a different domain.

	RH Linux 7.3	pam_krb5-1.55-1
	HPUX 11	PAM Kerberos v1.10
	Solaris 8	SEAM 1.0.1


/etc/krb5.conf:

[libdefaults]
        default_realm = DOM1.COMP.COM
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]
        DOM1.COMP.COM = {
                kdc = kdcdom1.dom1.comp.com
                kpasswd_protocol = SET_CHANGE
                kpasswd_server = kdcdom1.dom1.comp.com
                admin_server = kdcdom1.dom1.comp.com
        }
        DOM2.COMP.COM = {
                kdc = kdcdom2.dom2.comp.com
                kpasswd_protocol = SET_CHANGE
                kpasswd_server = kdcdom2.dom2.comp.com
                admin_server = kdcdom2.dom2.comp.com
        }
[domain_realm]
        .dom1.comp.com = DOM1.COMP.COM
        dom1.comp.com = DOM1.COMP.COM
        .dom2.comp.com = DOM2.COMP.COM
        dom2.comp.com = DOM2.COMP.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
                period = 1d
                versions = 10
        }

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }
        rlogin = {
                forwardable= true
        }
        rsh = {
                forwardable= true
        }
        telnet = {
                autologin = true 
                forwardable= true
        }


Thanks
Ted



More information about the Kerberos mailing list