AD Domain Authentication to MIT Kerb V

Matt Joyce syslists at
Fri Feb 18 17:24:52 EST 2005

Douglas E. Engert wrote:

> Matt Joyce wrote:
>>> So when you login, do you type user at realm or just user?
>> just user.  The @ seemingly specifies a domain to login to. 
> No its the realm of the user. This machine knows what domain it is in.
> So the first step it to authenticate to the user's realm, then
> the libs will get cross realm tickets and finals a service ticket
> for the machine from the machine's realm.
So it is still within the DOMAIN.COM domain not a seperate 
REALM.DOMAIN.COM domain.  Okay That clears something up.
If this is the case do I need to add host principles to the MIT Kerb V 
kdc for the machines in the domain wishing to auth to the 
REALM.FXSERVER.COM principles?  Do I need to join the REALM on the 
client boxes?  Should I be seeing the REALM option in the domain list?  =( 

Is there anything special I need to do to those client machines?

currently I am unable to login to user at REALM.DOMAIN.COM on anything but 
the AD box.  Any suggestions as to why that might be?

>> I cannot login to a Domain with a complete realm prinicpal without 
>> inadvertental telling windows to login to som alternate domain... 
> *BUT thats the point* the user is in one realm the machine in another.
> They can trust each other because you setup the cross realm, and with AD,
> the AD of the machine spotted that your user has an AD account, and so it
> added PAC information so the machine would accept the user as domain 
> user.
> > possibly a trusted kerb5 realm domain created by AD?
> Not sure what you mean. AD does not create realms. Although domains in
> a forest are using Kerberos cross realm.
This cleared up all sorts of misunderstandings I had.  =)  Well I am 
seeing lots of DOMAIN.COM tickets but no REALM.DOMAIN.COM tickets.  But 
that's probably because I've been thinking i need to login to the AD 
domain not the REALM.  =/

>> When i login to the Domain as a regular user MIT leash shows me a wad 
>> of @DOMAIN.COM tickets.  Can I assume these tickets will be honored 
>> by services  in the MIT Kerb V realm REALM.DOMAIN.COM?
> Yes and no. The tickets are for selected services in what ever realm
> the service is in. Since the user is in DOMAIN.COM one of the tickets
> is krbtgt/DOMAIN.COM at DOMAIN.COM this is the ticket granting ticket used
> to get more tickets from DOMAIN.COM for services in that realm.
> There may also be a krbtgt/REALM.DOMAIN.COM at DOMAIN.COM This is the cross
> realm ticket issued by DOMAIN.COM used to get tickets from 
> But you would only see this if the user attempted to use a service in
> When you get this working you using the user in REALM.DOMAIN.COM
> you should see these tickets:
>    krbtgt/REALM.DOMAIN.COM at REALM.DOMAIN.COM   (initial ticket)

Don't have that.

>    krbtgt/DOMAIN.COM at REALM.DOMAIN.COM         (cross realm ticket)

or that

>    host/theworkstaiton at DOMAIN.COM             (service ticket for host)
>> This line of discussion is really really helpful thanks a ton.
Still is =P

-Matt Joyce

More information about the Kerberos mailing list