domain realm mapping
Douglas E. Engert
deengert at anl.gov
Fri Apr 1 07:45:01 EST 2005
Preetam Ramakrishna wrote:
> Hi,
>
> On unix machines, the kerberized client (eg: telnet) look for
> "domain realm mappings" in the /etc/krb5.conf file. So, when I run
> "telnet server-1.acme.com", the client would appropriately request the
> KDC a service ticket for host/server-1.acme.com at REALM1.COM
>
> Is there anything equivalent to this on a win2k workstation
> which is configured to be a part of the non-windows kerberos realm.
The krb5.ini on Windows is the same as a unix krb5.conf, and the KfW
Kerberos libs will use the domain realm mappings.
If you are using the windows kerberos libs, via SSPI, the
server_principal_name parameter of the InitializeSecurityContext
routine can take the form: <service>@<host>@<realm>
so the application can provide all three.
Windows also implements referrals, were the client asks the KDC
for a ticket. The KDC can then return a referral to the client to
try a different realm. But this requires (1) KDC has a data base
of host realm mappings, (2)KDC has referral code, and (3) client
understands what to do with a referral. Windows code has all three.
AD can find hosts in its forest. AFAIK, referrals are not yet implemented
in non windows Kerberos. The IETF krb-wg and Kitten WG are addressing
these issues.
SecureCRT, and PuTTY can use either MIT KfW or SSPI and can allow the user
to provide the realm when using the SSPI.
>
> Thanks,
> Preetam
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list