Kerberos proxy for implementing referrals
Douglas E. Engert
deengert at anl.gov
Wed May 24 14:08:38 EDT 2006
Before you do this, you may want to look at "Trusted Domain Ojests"
and "Globus Catalog" There may be a way to use the "netdom" command to:
"Establish one-way or two-way trust relationships between domains,
including the following kinds of trust relationships:
...
The Windows Server 2003 or Windows 2000 Server half of an
interoperable Kerberos realm."
Google for netdom, trusted domain object or TDO, referral and cross realm
or Google for "Domain and Forest Trust Tools and Settings"
( I have not tried this. But it looks like the netdom command could
setup the TDO that is missing.)
Richard E. Silverman wrote:
> I'm considering the use of a Kerberos proxy, to solve the problem of being
> unable to do cross realm authentication though a Windows realm to an MIT
> one, due to Windows not issuing referrals for external realms. The proxy
> would issue referrals where needed instead of having the Windows KDC say
> "no such principal," and send/return all other requests to Windows for the
> client. Obviously, the proxy will need the TGS keys for the Windows
> realm. This is a last resort; I'm going mad badgering Microsoft for some
> sort of solution to this. My outstanding request to them is whether they
> can issue default referrals. I'm not expecting a positive answer.
>
> I'm wondering whether anyone else has considered this, or (hoping against
> hope), already implemented it?
>
> I've considered using the KfW GSSAPI library with clients that support it
> (Firefox, SecureCRT, etc.), but this is probably not a workable option for
> us.
>
> All comments welcome and appreciated,
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list