service principals in AD fro unix kerberos clients

Dirk Pape pape at inf.fu-berlin.de
Mon Jan 26 03:16:33 EST 2004


In article <EYydnYZ5UJlKeZLdRVn-hA at is.co.za>,
 "Ryan Odgers" <odgersr at out.co.za> wrote:

> If the KDC is win2000 and the kerberos client is UNIX or MIT, does
> cross-realm authentication still need to be set up?
> It is the same kerberos realm, the unix machine points to the 2000 KDC as
> its server.

we have done this successfully here:

having Unix hosts sshd and apache authenticate users from Windows 2003 
AD via kerberos.
We use Win 2003 Server (but it also worked with windows 2000 Server AD), 
I remember SFU was necessary to make it work.

I do not see, what we did differnent from what you did, but there were 
two things we had to struggle with:

1. you have to set up one user account (not computer account) for every 
service you want to be kerberized (this reads: there is a one-to-one-map 
between service principals and service accounts.

2. you have to be sure that you have the correct name of the principal 
(as used by the service) and that the keytab is found and readable by 
the service. 

Regards,
Dirk.

-- 
Dr. Dirk Pape (Leiter des Rechnerbetriebs)
FB Mathematik und Informatik der FU-Berlin
Takustr. 9, 14195 Berlin
Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190


More information about the Kerberos mailing list