Windows AD and MIT KDC Cross-Realm Trust

Digant Kasundra digant at uta.edu
Mon Feb 16 17:41:15 EST 2004


> That is the only way to do it.  There is no term called 
> "pass-through" authentication within Kerberos.  The 
> authentication between the MIT and Microsoft realms are based 
> on cross-realm trusts.  This is exactly what is described on the page:

I guess I am using the phrase "pass-through" authentication as it is
referenced below:

http://acd.ucar.edu/~fredrick/linux/kerberos/testbed.html

(e.g. a workstation on a domain authning against Krb and authzing against AD
as opposed to a standalone workstation doing the same thing).

Sorry for my misunderstandings.



That being the case, when a user tries to login using bwinkle at kerb.uta.edu,
I do see a request hit the KDC but the user still does not get logged in.
According to the logs, I see an AS_REQ "bwinkle at KERB.UTA.EDU for
krbtgt/KERB.UTA.EDU at KERB.UTA.EDU".  In my principles on the KDC machine
(montyburns), I have bwinkle at KERB.UTA.EDU, krbtgt/KERB.UTA.EDU at KERB.UTA.EDU,
krbtgt/KERB.UTA.EDU at UTA.EDU and krbtgt/UTA.EDU at KERB.UTA.EDU (as well as the
kadmin ones that are created at install).

What else should I look at?


More information about the Kerberos mailing list