Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...
Lara Adianto
m1r4cle_26 at yahoo.com
Wed Apr 14 04:30:11 EDT 2004
Hi Kostas,
I haven't found the perfect solution for the problem,
but I'll surely post some notes in the mailing list
when I find one.
> That is: active directory users & computers-> view
> -> advanced features,
> then right click on a user -> name mappings ->
> kerberos names -> add ->
> user at YOUR.KERBEROS.REALM. Then users are able to be
> authorized by the
> win2k server in the AD and be serviced.
I'm sure it's more than the above step. You must have
also specified the KDC server of your realm using
ksetup / Security Configuration Template (as mentioned
in Step-by-step Guide to Kerberos 5 Interoperability).
I supposed you have quite a number of w2k/winxp
machines in your domain and you have used the security
configuration templates...?
Care to share with me how you do it ?
I haven't got a clear picture of how it can be done
using security configuration template.
My guess is that we will need to update sceregvl.inf,
register the changes by doing 'regsvr32 scecli.dll',
and also change the group policy.
Anyway, I've tried to update sceregvl.inf but it
didn't work :-(
I'm wondering...
How can I achieve the job done by ksetup in every
machine by using a security configuration template in
only a single domain and have all the registry
settings applied to every machine in the domain...
Anyone ?
-lara-
--- Kostas Liakakis <kostas at skiathos.physics.auth.gr>
wrote:
>
> Hi,
>
> our setup is somewhat like yours, though not the
> same. I 'll describe it
> to you and maybe you 'll be able to decide if there
> are any bits you could
> try in your case.
>
> We have a kerberos realm (XXX.GR) and a seperate
> win2k AD domain
> (pclab.xxx.gr).
>
> There is a one-way trust relationship between them:
> win2k trusts kerberos
> realm. No need for a two-way one.
>
> Every win2k/xp workstation machine is a member of
> the win2k domain. Users
> are authenticated in the kerberos realm. Their win2k
> passwords are
> random dummies.
>
> In order for the users to actually logon to the
> win2k workstations, name
> mappings for each one of them have to be defined in
> the active directory.
> That is: active directory users & computers-> view
> -> advanced features,
> then right click on a user -> name mappings ->
> kerberos names -> add ->
> user at YOUR.KERBEROS.REALM. Then users are able to be
> authorized by the
> win2k server in the AD and be serviced.
>
> We have a central ldap hosting all user account
> info, so keeping the win2k
> AD user database in sync is easily accomplished by a
> perl script...
>
> I too get many kerberos errors in the win2k server
> audit log and many
> requests for non-existent principals in the kerberos
> realm (cifs and
> workstation netbios names to name most of them) but
> they seem harmless and
> at least as far as our needs are concerned,
> everything "works".
>
> Please keep mailing your progress to the list. The
> lack of relevant
> answers probably means that nobody has a clue about
> all this.
>
> Cheers,
>
> -Kostas
>
>
> On Fri, 9 Apr 2004, Lara Adianto wrote:
>
> > I'll try to re-explain my problem in a better way:
> > I have two domains located in 2 different realms:
> > domain A is a win2k domain
> > domain B is a kerberos domain (a Heimdal kerberos
> > realm - I have to use heimdal bec I intend to use
> it
> > with openldap)
> > There exists a cross-realm trust between domain A
> and
> > domain B.
> >
> > In domain A, there is a win2k prof machine, let's
> we
> > call it PC-1.
> > While in domain B, there is a win2k prof machine
> as
> > well: PC-2.
> >
> > A user using PC-2 has successfully authenticated
> > himself to Kerberos Realm (domain B), and now the
> user
> > wants to access PC-1 in domain A. Theoritically,
> this
> > is possible since the cross-realm trust has been
> > established.
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html
More information about the Kerberos
mailing list