Cross Realm Trust with stand alone Windows Workstation

Douglas E. Engert deengert at anl.gov
Tue Apr 25 12:44:49 EDT 2006



Thomas Lubanski wrote:

> Hi,
> 
> I've run into a problem with the cross realm trust and Windows Workstations.
> The setup is as follows:
> Windows Workstation stand-alone with XP. The department owning the workstation is doing their own adminsitration. The
> central department is running AD.
> The Workstation should not be imported into AD, as the owning department doesn't want that.
> The standalone Workstation shall login to a Kerberos KDC. Works like a charm. 
> Cross Realm trusts between the Kerberos KDC and AD were established. If I use a WS in the AD domain, I can logon to the
> KDC and get the tickets for AD, so I can access everytrhing there.
> If the standalone Workstation is trying to access a resource in the domain, it is not asking for the domain ticket,
> however. It is asking for a specific service ticket for the server hosting the service. For example, if I want to map a
> drive, the workstation is asking the KDC for a ticket for cifs/server.

Sounds like the workstation Kerberos client code is expecting the KDC to return a referral for the cifs/server
to point to the other realm. Whoses KDC are you running? Does it support referrals?


> Now I know this is really working as designed, as the Windows workstation has no clue about a domain or cross realm
> trusts. 
> So my question is: Is it possible to make this work *without* putting the Windows Workstation into the AD domain?
> 
> Thanks
> Thomas
> 
> 
> Thomas Lubanski     "The best laid LANs
> Senior Architect         often go foul."
> Novell Consulting 
> Tel: +49-211-5631-3758
> email: tlubanski at novell.com
> Noerdlicher Zubringer 9 -11
> 40470 Duesseldorf
> Novell, Software for the Open Enterprise
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list