AD Domain Authentication to MIT Kerb V

Douglas E. Engert deengert at anl.gov
Fri Feb 18 14:32:07 EST 2005 


Matt Joyce wrote:

> So I can authenticate on my 2003 AD box to my MIT Kerb V realm and login 
> as my mapped user.
>

Note that this may be letting you login to a local account on the machine
not nessesarily the domain.

> I've gone over my docs a few times.  Checked my is and ts for dots and 
> crosses.
> 
> I am befutteled (spelling?).
> Do I create DNS entries for the Real name as if it was a Domain?

The SRV records for _kerberos._tcp.<realmanme> and _kerberos._udp.<realmname>
can be used by both Kerberos libs and the built in Windows Kerberos when
used with AD. This is a minor issue.

> Do I synch Domain username passwords to their mapped principals and 
> expect my MIT realm tickets to show up in leash along with the Domain 
> Tickets I see?

Confusing question which might be answered by the reference below.

> Are the domain tickets I am seeing for the domain really MIT Kerb 5 
> tickets?  Are they related to the service tgt I created for AD?
> 

They are all Kerberos 5 tickets, issued by different realms.
I hope you are not trying to have a domain with its DCs, and a realm
with its KDCs with the same name. This will get two confusing
and will not interoperate. But what you can do is have
different names for the domain and realm and do cross realm
between them.

AD uses kerberos for authtication, and can act as a KDC. In this
case the relam name is the uppercase domain name. But AD adds a PAC
to the tickets with authorization info which a non-AD KDC will not.
The not-AD KDC will copy the PAC from a TGT to a service ticket
if it is foundin the TGT such as cross realm form AD to non-AD.
The PAC has the groups and other authorization stuff from the AD account.

> What's going on?  Docs?  Thoughts?  Anything at all would be again 
> greatly appreciated.

See:
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp



> 
> -A very confused but somewhat elated Matt Joyce
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list