Authentication to realms of a tree
Marigomen, Ted {Info~Palo Alto}
TED.MARIGOMEN at ROCHE.COM
Fri Mar 28 13:03:24 EST 2003
Hi all,
I have setup kerberos clients of various unix flavors (RH linux 7.3,
Solaris 8, HPUX 11) to authenticate to our Active Directory. However,
the clients can only authenticate (and kpasswd) to the realm specified
in the default_realm, not to all the realms of the tree default_realm is
a part of.
First of all, does kerberos have this capability? If so, what am I
missing?
Our tree consists of various domains (i.e. DOM1.COMP.COM, DOM2.COMP.COM,
DOM3.COMP.COM) which are part of COMP.COM. There are DC's in all of the
various domains but not in COMP.COM. If default_realm is set to
DOM1.COMP.COM, only users of that domain can authenticate. Conversely,
if default_realm is set to DOM2.COMP.COM, only users of that domain can
authenticate.
I need only authentication for now. And, since our users travel, users
of a certain domain may use a computer of a different domain.
RH Linux 7.3 pam_krb5-1.55-1
HPUX 11 PAM Kerberos v1.10
Solaris 8 SEAM 1.0.1
/etc/krb5.conf:
[libdefaults]
default_realm = DOM1.COMP.COM
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc
[realms]
DOM1.COMP.COM = {
kdc = kdcdom1.dom1.comp.com
kpasswd_protocol = SET_CHANGE
kpasswd_server = kdcdom1.dom1.comp.com
admin_server = kdcdom1.dom1.comp.com
}
DOM2.COMP.COM = {
kdc = kdcdom2.dom2.comp.com
kpasswd_protocol = SET_CHANGE
kpasswd_server = kdcdom2.dom2.comp.com
admin_server = kdcdom2.dom2.comp.com
}
[domain_realm]
.dom1.comp.com = DOM1.COMP.COM
dom1.comp.com = DOM1.COMP.COM
.dom2.comp.com = DOM2.COMP.COM
dom2.comp.com = DOM2.COMP.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
rlogin = {
forwardable= true
}
rsh = {
forwardable= true
}
telnet = {
autologin = true
forwardable= true
}
Thanks
Ted
More information about the Kerberos
mailing list