Cross Realm AD<->MIT Trust, with realm name clash?

Jeffrey Altman jaltman2 at nyc.rr.com
Thu Feb 2 19:29:29 EST 2006


Colin Simpson wrote:
> The subject largely says it all, I have a Unix MIT Realm and a 
> Windows AD Realm. Both have the same realm name, which for most things
> isn't at all a problem (the passwords a sync'd anyway).
> 
> It might be nice for certain PC apps eXceed mainly if the two had a
> trust relationship. Now I know this isn't really possible immediately as
> the realm names clash. However is there such a thing as a realm
> connector (or is such a thing possible) that would achieve this ie a
> machine that would sit as a pseudo-KDC in the middle and make windows
> appear to be talking to a pretend third realm (with a different name)
> that is really the Unix realm with a new name faked in it's produced
> tickets (and likewise with the Unix KDC). This connector could mangle
> the tickets realm names on the way through.
> 
> I'm not sure this is possible as I'm not sure who in a cross realm TGT
> get checked with. 
> 
> Any thoughts?
> 
> Colin

The two realms cannot communicate with one another because if you
attempted to create a path by name from one to the other, the KDCs
in each realm would think it was trying to talk to itself.

If it is necessary for these realms to have cross realm relationships
with any other realms in common or with each other, then one of the
realms must change its name.   There is no procedure for changing the
name of a realm hosted by a MIT KDC.  However, there is such a procedure
for Windows 2003 Active Directory.  It is extremely painful but it is
possible.

Jeffrey Altman
Secure Endpoints Inc.



More information about the Kerberos mailing list