putty/winscp with gssapi/krb5 ticket forwarding
Christopher D. Clausen
cclausen at acm.org
Tue Jan 30 11:44:59 EST 2007
Lars Schimmer <l.schimmer at cgv.tugraz.at> wrote:
> Christopher D. Clausen wrote:
>> Lars Schimmer <l.schimmer at cgv.tugraz.at> wrote:
>>> Thanks for the link.
>>> Maybe I don4t get it right on my thoughts.
>>> Setup here:
>>> AD with 1 server and x clients
>>> krb5 server on debian on extra machine
>>
>> So you have an Active Directory domain that the Windows machines are
>> on?
>
> Yes, there is a AD domain in which the PCs are.
>
>> And a seperate Kerberos Realm for the Linux machines?
>
> The REALM is the same as the AD domain (both are CGV.TUGRAZ.AT ir in
> lower case cgv.tugraz.at)
Okay, this sounds bad. You'll likely need to rename either the domain
or the realm. (I believe there is a Windows tool to rename a domain.)
Maybe someone else has an idea for you? I don't think you can even
setup a realm trust if the realm names are the same b/c the cross-realm
TGT (krbtgt) would overwrite the current realms TGT.
>> Do you have a realm trust between these? B/c its not likely to work
>> if you don't.
>
> There is no realm trust between both (which are the same).
> I use cgv.tugraz.at as a AD domain for login and CGV.TUGRAZ.AT for
> obtaining tickets/tokens.
You cannot have this work just b/c the realms are the same. There needs
to be a trust setup between the realms, or you need to have ALL your
non-Windows machines also use the Windows domain as a KDC instead of the
MIT one.
And please reply to the list and not to me directly.
<<CDC
More information about the Kerberos
mailing list