please help with MS AD -> UNIX trust

vadim vadim.tarassov at swissonline.ch
Fri Jun 3 01:02:37 EDT 2005


Hallo everybody,

Could you please point stupid me to the right piece of documentation?

I've build Kerberos realm, where KDC is MS AD, servers are OpenSSH and
OpenLDAP on Solaris 8, clients are on Solaris and Cygwin. I have used
GSSAPI implementation from Heimdal and MIT with equal success -
everything worked just perfectly!

Now for some odd reasons I have to build pure UNIX realm and to
establish one-way trust, where UNIX realm trusts AD, and users once
logged into the AD realm, should be able also to logged into the UNIX
realm.

I have tried both Heimdal 0.6.4 and MIT 1.4.1 as UNIX realm, and in both
cases I have the same result with OpenSSH:

1) assuming that AD realm is called A, and UNIX realm is called B,
client obtains TGT for realm A.
2) trying to ssh into realm B client gets ticket 
krbtgt/B at A
3) client gets ticket host/whatsoever at B

and at this moment GSSAPI fails to establish context between client and
server SSH. SSH server writes in log "gssapi-with-mic failed" ...

Since both Heimdal and MIT behaves exactly in the same manner with
several versions of OpenSSH (from 3.8.1 to 4.0), and I have no problems
with AD and Heimdal/MIT if not trying them to trust each other, I am
absolutely sure that I've missed right documentation ...

Can you please tell me where I could dig futher? 

Thanx a lot and best regards, vadim tarassov.

-- 
vadim <vadim.tarassov at swissonline.ch>



More information about the Kerberos mailing list