putty/winscp with gssapi/krb5 ticket forwarding

Christopher D. Clausen cclausen at acm.org
Fri Jan 26 09:41:37 EST 2007


Lars Schimmer <l.schimmer at cgv.tugraz.at> wrote:
> Thanks for the link.
> Maybe I don´t get it right on my thoughts.
> Setup here:
> AD with 1 server and x clients
> krb5 server on debian on extra machine

So you have an Active Directory domain that the Windows machines are on?

And a seperate Kerberos Realm for the Linux machines?

Do you have a realm trust between these?  B/c its not likely to work if 
you don't.

> on each client MIT krb5 and OpenAFS 1.4.x on debian, 1.5.12 on windows
> on windows clients: krb5 config with the krb5 server entry and "obtain
> tokens for OpenAFS while login enabled"
> til yet no special entries for krb5 in AD.
> I assume the user on windows obtain a token and a valid ticket from
> the
> linux krb5 server while logging in (else the token wouldn´t be valid)
> So a valid ticket for user is available in the cache.
> In https://www-s.acm.uiuc.edu/wiki/space/Setting+up+SSH+on+Debian

That page assumes all machines are in one realm, which doesn't appear to 
be your case at all.  Can you be specific about which machines are in 
which Kerberos / AD Realm?

<<CDC 





More information about the Kerberos mailing list