domain realm mapping

Preetam Ramakrishna rpreetam at novell.com
Mon Apr 4 00:00:37 EDT 2005 

Hi,

        Douglas, Thanks for  the information. I forgot to mention that
I was using a windows client, i.e., I am trying to map to a w2k server (
part of a win2k domain ). Is it possible to specify the w2k domain name
in this case.

Thanks,
Preetam

>>> "Douglas E. Engert" <deengert at anl.gov> 4/1/2005 6:15 PM >>>


Preetam Ramakrishna wrote:
> Hi,
> 
>          On unix machines, the kerberized client (eg: telnet) look
for
> "domain realm mappings" in the /etc/krb5.conf file. So, when I run
> "telnet server-1.acme.com", the client would appropriately request
the
> KDC a service ticket for host/server-1.acme.com at REALM1.COM 
> 
>         Is there anything equivalent to this on a win2k workstation
> which is configured to be a part of the non-windows kerberos realm.

The krb5.ini on Windows is the same as a unix krb5.conf, and the KfW
Kerberos libs will use the domain realm mappings.

If you are using the windows kerberos libs, via SSPI, the
server_principal_name parameter of the InitializeSecurityContext
routine can take the form: <service>@<host>@<realm>
so the application can provide all three.

Windows also implements referrals, were the client asks the KDC
for a ticket. The KDC can then return a referral to the client to
try a different realm.  But this requires (1) KDC has a data base
of host realm mappings, (2)KDC has referral code, and (3) client
understands what to do with a referral. Windows code has all three.
AD can find hosts in its forest. AFAIK, referrals are not yet
implemented
in non windows Kerberos. The IETF krb-wg and Kitten WG are addressing
these issues.

SecureCRT, and PuTTY can use either MIT KfW or SSPI and can allow the
user
to provide the realm when using the SSPI.




> 
> Thanks,
> Preetam
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu 
> https://mailman.mit.edu/mailman/listinfo/kerberos 
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list