Is there a Win2k server equivalence to krb5.conf [domain_realm]?

Steve.Schwager@tellabs.com Steve.Schwager at tellabs.com
Thu May 27 18:06:22 EDT 2004


I'm setting a multi-realm (Windows/Unix) environment. I think I've got
it all figured out except for one thing.

How does the Windows KDC know that mymachine.unixnet.mycompany.com is in
the realm UNIXNET.MYCOMPANY.COM? In the MIT implementation, client would
have done this using [domain_realm] configuration in krb5.conf. Where
does one configure this in the Windows (2003) server?

I've got a separate KDC for the Unix realm and I'm doing referrals. I
hope that, like krb5.conf, I can configure the mapping once for the
entire DNS domain (e.g. [domain_realm] .unixnet.mycompany.com
UNIXNET.MYCOMPANY.COM).

------------------------------------------------------

Here's the scenario in gory detail,

I have two realms (or whatever Microsoft calls things in their world)
WINDOWSNET.MYCOMPANY.COM and UNIXNET.MYCOMPANY.COM.

My desktop is in WINDOWS.MYCOMPANY.COM.

I'm going to do kerberos referrals, and I think I have that figured out.

IE6 attempts to access
http://mymachine.unixnet.mycompany.com/whatever.html. The server is
kerberized a la SPNEGO.

I've got enough set up so that I see the client request a ticket back
the windows KDC for the service principal
HTTP/mymachine.unixnet.mycompany.com at WINDOWSNET.MYCOMPANY.COM (with the
fancy "canonicalize" bit set according to
draft-ietf-krb-wg-kerberos-referrals-03).

Now it's the server job to return a ticket for
HTTP/mymachine.unixnet.mycompany.com at UNIXNET.MYCOMPANY.COM  (note that
it should change the realm to UNIXNET...)

That's where I'm lost. I can't find any what to configure the
domain/realm relationship. Will the server see the cross-realm trust and
just assume that if there is a trust to UNIXNET.MYCOMPANY.COM, then
mymachine.unixnet.mycompany.com must be a member of that realm?



-----------------------------------------
============================================================
The information contained in this message may be privileged 
and confidential and protected from disclosure.  If the 
reader of this message is not the intended recipient, or an 
employee or agent responsible for delivering this message to 
the intended recipient, you are hereby notified that any 
reproduction, dissemination or distribution of this 
communication is strictly prohibited. If you have received 
this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer.

Thank you.
Tellabs
============================================================


More information about the Kerberos mailing list