putty/winscp with gssapi/krb5 ticket forwarding

Christopher D. Clausen cclausen at acm.org
Thu Feb 1 09:47:04 EST 2007 

Lars Schimmer <l.schimmer at cgv.tugraz.at> wrote:
> Christopher D. Clausen wrote:
>> Lars Schimmer <l.schimmer at cgv.tugraz.at> wrote:
>>> Christopher D. Clausen wrote:
>>>> So you have an Active Directory domain that the Windows machines
>>>> are on?
>>>
>>> Yes, there is a AD domain in which the PCs are.
>>>
>>>> And a seperate Kerberos Realm for the Linux machines?
>>>
>>> The REALM is the same as the AD domain (both are CGV.TUGRAZ.AT ir in
>>> lower case cgv.tugraz.at)
>>
>> Okay, this sounds bad.  You'll likely need to rename either the
>> domain or the realm.  (I believe there is a Windows tool to rename a
>> domain.)
>
> OK, we are just 20 people here using our REALM and no entry in DNS
> server, I think it is easier to rename the REALM instead of the AD
> domain. We got a /25 subnet and a DNS entry cgv.tugraz.at (yes,
> academic).
> Within this I wanted to setup OpenAFS (I think it should name after
> the dns entry cgv.tugraz.at), krb5 auth (I thought CGV.TUGRAZ.AT is
> best and the only usable one), linux clients (no probs so far) and a
> AD domain with a own AD domain server. And I think for
> DNS/network/... purpose it is far easier to name the AD domain after
> the DNS entry cgv.tugraz.at, e.g. names of clients, IPs via dhcp,...).
> I thought the only possible useable REALM was CGV.TUGRAZ.AT and I set
> it up that way and was happy as it worked for the most needed parts
> (login into AD domain [with own AD password], getting ticket from
> krb5 server for CGV.TUGRAZ.AT REALM and getting token automatic).

If your eventual goal is to setup OpenAFS, I'd suggest ONLY using the AD 
domain if your Kerberos realm only has a few users now anyway.  You can 
do just about anything in AD that could do with MIT Kerberos, although 
the management from the non-Windows side of things is a little annoying, 
but it is possible.  Having everything in one Kerberos realm simplifies 
single-sign-on and cross-platform issues.

>> You cannot have this work just b/c the realms are the same.  There
>> needs to be a trust setup between the realms, or you need to have
>> ALL your non-Windows machines also use the Windows domain as a KDC
>> instead of the MIT one.
>
> Some time ago it was easier to setup the MIT krb5 server instead of
> using AD krb5 auth together with OpenAFS.
>
> And I thought using MIT krb5 software on Windows with a active ticket
> for the correct REALM is the needed part for loging in with putty via
> ticket forwarding.

It is early as easy to have an AFS cell use an AD domain as using MIT or 
Heimdal.  Just generate a keytab for the afs/cell service principal and 
use asetkey to add it to the KeyFile.

<<CDC

More information about the Kerberos mailing list