putty/winscp with gssapi/krb5 ticket forwarding

Christopher D. Clausen cclausen at acm.org
Tue Jan 30 11:44:59 EST 2007


Lars Schimmer <l.schimmer at cgv.tugraz.at> wrote:
> Christopher D. Clausen wrote:
>> Lars Schimmer <l.schimmer at cgv.tugraz.at> wrote:
>>> Thanks for the link.
>>> Maybe I don4t get it right on my thoughts.
>>> Setup here:
>>> AD with 1 server and x clients
>>> krb5 server on debian on extra machine
>>
>> So you have an Active Directory domain that the Windows machines are
>> on?
>
> Yes, there is a AD domain in which the PCs are.
>
>> And a seperate Kerberos Realm for the Linux machines?
>
> The REALM is the same as the AD domain (both are CGV.TUGRAZ.AT ir in
> lower case cgv.tugraz.at)

Okay, this sounds bad.  You'll likely need to rename either the domain 
or the realm.  (I believe there is a Windows tool to rename a domain.)

Maybe someone else has an idea for you?  I don't think you can even 
setup a realm trust if the realm names are the same b/c the cross-realm 
TGT (krbtgt) would overwrite the current realms TGT.

>> Do you have a realm trust between these?  B/c its not likely to work
>> if you don't.
>
> There is no realm trust between both (which are the same).
> I use cgv.tugraz.at as a AD domain for login and CGV.TUGRAZ.AT for
> obtaining tickets/tokens.

You cannot have this work just b/c the realms are the same.  There needs 
to be a trust setup between the realms, or you need to have ALL your 
non-Windows machines also use the Windows domain as a KDC instead of the 
MIT one.

And please reply to the list and not to me directly.

<<CDC 





More information about the Kerberos mailing list