Cross Realm: Problem with Default Realm
Douglas E. Engert
deengert at anl.gov
Thu Jul 26 17:20:02 EDT 2007
Miguel Sanders wrote:
> Dear all
>
> I managed to do cross realm authentication between AD realm A and MIT
> realm B.
> However this only works if, hosts in realm B, have "default_realm =A"
> in their krb5.conf. I have some problems with this since there are
> quit a lot of other principals in realm B...
As Russ pointed out you left a lot out. One important point is
how does the client determine the realm of the server. Windows
clients (i.e. using the Microsoft Kerberos in Windows) use referrals
and ask the user's KDC. Other Kerberos use the krb5.conf or krb5.ini
[domain_realm] section, you called it [domain] is this your problem?
You should also look at the .k5login file, and the
krb5.conf auth_to_local=parameter.
Obfuscating the names in your e-mail, can also lead to confusion
as you may have over simplified the problem, making it harder to
diagnose.
>
> Perhaps a setting in krb5.conf that can solve this issue:
>
> Snippet:
> [libdefaults]
> default_realm = A
> default_keytab_name = FILE:/etc/krb5/host.keytab
> default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
> des-cbc-md5 des-cbc-crc
> default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts
> des-cbc-md5 des-cbc-crc
> forwardable = true
> dns_lookup_realm = no
> dns_lookup_kdc = no
>
> [realms]
> B = {
> kdc = kdc.b.com
> }
> A = {
> kdc = kdc.a.com
> }
> [domains]
> .b.com = B
> b.com = B
> .a.com = A
> a.com = A
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list