Can Standard Kerberos and AD serve the same domain w/out conflict?

uidzero Bainter uid__zero at hotmail.com
Thu May 4 16:09:15 EDT 2006 

We currently have an existing Active Directory domain for our windows 
network, and I would like to setup Kerberos on the Unix side to service 
those systems.  (I would simply use windows as the KDC, but the username 
convention is "firstname<space>lastname" which is obviously inherently 
incompatible with *nix systems.

So lets say I have a setup like this:
userdom.org -- This is the domain where all the users and workstations live.
srvdom.org -- This is where all the servers (including unix servers) live.


[libdefaults]
   default_realm = KRB.SRVDOM.ORG

[realms]
   KRB.SRVDOM.ORG = {
      kdc = krb1.SRVDOM.org
      admin_server = kr1.SRVDOM.org
      default_domain = srvdom.org
   }

[domain_realm]
   SRVDOM.org = KRB.SRVDOM.ORG
   .SRVDOM.org = KRB.SRVDOM.ORG


With a set of existing servers like so:
   server1.srvdom.org
   server2.srvdom.org

with the above krb5.conf file.

Now, if I set this up, and there are no specific DNS entries to point to the 
KDC available, but rather I use the rather less scalable method of 
individually pointing each unix system at the correct KDC, will that work?  
Or will this cause a nightmare of conflict between AD and the Unix Kerberos 
implementation?  I'm not intimitely familiar with all of the kerberos 
protocols...is there any broadcasting going on, particularly from 
windows...that might cause nightmares with this?  Particularly if a windows 
client were to attempt to authenticate against a service on one of the unix 
systems?

What, if anything, do I need to be concerned about regarding the users 
actually attempting to authenticate from the userdom.org domain?  Do I need 
to have domain_realm mappings for that domain as well?

If I have to, I can setup a rogue DNS subdomain of krb5.srvdom.org and put 
everything in there, and subvert the existing dns infrastructure to support 
it by using dnscache to override where the servers look for dns and reverse 
information.  But that creates a really ugly situation, especially for 
reverse lookups.  So if I can do this, and not screw up the windows AD 
implementation, or the clients that would be using it, that's perfect.

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

More information about the Kerberos mailing list