Cross Realm: Multiple AD Domains

Miguel Sanders miguelsanders at telenet.be
Sat Jul 28 05:53:42 EDT 2007 

Dear all

I have asked this question already to Markus and Douglas but I am
giving it another attempt.
I have already successfully tested my cross realm implementation in a
test phase.

However the environment in test was a single domain in the forest and
the acceptance/production environment has multiple domains and the one
I would like to do cross realm with, is not the root of the forest.
To give you a clear view on the situation:
ESX.SIDMAR.AGN being the MIT realm
SIDMAR.BE being the AD domain
ZEUS.SCHEMA being the root for the AD forest

None of them are DNS hierarchical!

So basicly, we have
             AD                 and               MIT
   ZEUS.SCHEMA                  ESX.SIDMAR.AGN
              |
    SIDMAR.BE

Now, since the users are located in SIDMAR.BE and the service
principals in ESX.SIDMAR.AGN, I need to do cross realm. At the moment,
SIDMAR.BE has a transitive trust two-way trust with ZEUS.SCHEMA since
it is the root of the forest.

I assume that the following needs to be done:

On ZEUS.SCHEMA:
1) ksetup.exe /addkdc ESX.SIDMAR.AGN (SRV records are available)
2) ksetup.exe /addrealmflags ESX.SIDMAR.AGN tcpsupported
3) netdom trust ZEUS.SCHEMA /domain:ESX.SIDMAR.AGN /add /realm /
twoway /PasswordT:SomePW
4) netdom trust ZEUS.SCHEMA /domain:ESX.SIDMAR.AGN /transitive:yes
5) netdom trust ZEUS.SCHEMA /domain:ESX.SIDMAR.AGN /
foresttransitive:yes
6) netdom trust ZEUS.SCHEMA /domain:ESX.SIDMAR.AGN /
addtln:esx.sidmar.agn

On the XP clients:
7) ksetup.exe /addkdc ESX.SIDMAR.AGN (SRV records are available)
8) ksetup.exe /addrealmflags ESX.SIDMAR.AGN tcpsupported

On the Unix KDC I have to create cross realm principals with password
SomePW

On a Unix client in realm ESX.SIDMAR.AGN, the krb5.conf should look
like
[libdefaults]
      default_realm = ESX.SIDMAR.AGN
      default_keytab_name = FILE:/etc/krb5/host.keytab
      default_tkt_enctypes = arcfour-hmac des-cbc-md5 des-cbc-crc
      default_tgs_enctypes = arcfour-hmac des-cbc-md5 des-cbc-crc
      forwardable = true
      dns_lookup_realm = false
      dns_lookup_kdc = true

[realms]
      ESX.SIDMAR.AGN = {
              kdc = sv106n.esx.sidmar.agn:88
              admin_server = sv106n.esx.sidmar.agn:749
              default_domain = esx.sidmar.agn
              auth_to_local = RULE:[1:$1@$0](.*@SIDMAR\.BE)s/@.*//
              auth_to_local = DEFAULT
      }

      SIDMAR.BE = {
              kdc = svdc013.sidmar.be:88
              default_domain = sidmar.be
      }

       ZEUS.SCHEMA = {
               kdc = svdc095.zeus.schema:88
       }

[domain_realm]
      .esx.sidmar.agn = ESX.SIDMAR.AGN
      .sidmar.be = SIDMAR.BE
      .zeus.schema = ZEUS.SCHEMA

[capaths]
       ESX.SIDMAR.AGN = {
               SIDMAR.BE = ZEUS.SCHEMA
       }

       SIDMAR.BE = {
               ESX.SIDMAR.AGN = ZEUS.SCHEMA
       }

[logging]
      kdc = FILE:/var/krb5/log/krb5kdc.log
      admin_server = FILE:/var/krb5/log/kadmin.log
      default = FILE:/var/krb5/log/krb5lib.log

Can someone give me some feedback on this setup. Are there any
caveats?

Thanks a lot in advance

Miguel

More information about the Kerberos mailing list