putty/winscp with gssapi/krb5 ticket forwarding

Lars Schimmer l.schimmer at cgv.tugraz.at
Thu Feb 1 09:32:55 EST 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher D. Clausen wrote:
> Lars Schimmer <l.schimmer at cgv.tugraz.at> wrote:
>> Christopher D. Clausen wrote:
>>> Lars Schimmer <l.schimmer at cgv.tugraz.at> wrote:
>>>> Thanks for the link.
>>>> Maybe I don4t get it right on my thoughts.
>>>> Setup here:
>>>> AD with 1 server and x clients
>>>> krb5 server on debian on extra machine
>>> So you have an Active Directory domain that the Windows machines are
>>> on?
>> Yes, there is a AD domain in which the PCs are.
>>
>>> And a seperate Kerberos Realm for the Linux machines?
>> The REALM is the same as the AD domain (both are CGV.TUGRAZ.AT ir in
>> lower case cgv.tugraz.at)
> 
> Okay, this sounds bad.  You'll likely need to rename either the domain 
> or the realm.  (I believe there is a Windows tool to rename a domain.)

OK, we are just 20 people here using our REALM and no entry in DNS
server, I think it is easier to rename the REALM instead of the AD domain.
We got a /25 subnet and a DNS entry cgv.tugraz.at (yes, academic).
Within this I wanted to setup OpenAFS (I think it should name after the
dns entry cgv.tugraz.at), krb5 auth (I thought CGV.TUGRAZ.AT is best and
the only usable one), linux clients (no probs so far) and a AD domain
with a own AD domain server. And I think for DNS/network/... purpose it
is far easier to name the AD domain after the DNS entry cgv.tugraz.at,
e.g. names of clients, IPs via dhcp,...).
I thought the only possible useable REALM was CGV.TUGRAZ.AT and I set it
up that way and was happy as it worked for the most needed parts (login
into AD domain [with own AD password], getting ticket from krb5 server
for CGV.TUGRAZ.AT REALM and getting token automatic).


> Maybe someone else has an idea for you?  I don't think you can even 
> setup a realm trust if the realm names are the same b/c the cross-realm 
> TGT (krbtgt) would overwrite the current realms TGT.
> 
>>> Do you have a realm trust between these?  B/c its not likely to work
>>> if you don't.
>> There is no realm trust between both (which are the same).
>> I use cgv.tugraz.at as a AD domain for login and CGV.TUGRAZ.AT for
>> obtaining tickets/tokens.
> 
> You cannot have this work just b/c the realms are the same.  There needs 
> to be a trust setup between the realms, or you need to have ALL your 
> non-Windows machines also use the Windows domain as a KDC instead of the 
> MIT one.

Some time ago it was easier to setup the MIT krb5 server instead of
using AD krb5 auth together with OpenAFS.

And I thought using MIT krb5 software on Windows with a active ticket
for the correct REALM is the needed part for loging in with putty via
ticket forwarding.

> And please reply to the list and not to me directly.

Sorry, it went wrong here. Damned icedove.

> <<CDC 
> 
> 


MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer at cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)

iD8DBQFFwfoXmWhuE0qbFyMRAm8/AJ9pvmd8hS6M6xovpJEe39BSACcw9ACgkhu3
01yNq4Wx3ILKuC7u2gIAS7E=
=UNBZ
-----END PGP SIGNATURE-----



More information about the Kerberos mailing list