R: Multiple AD domains and MIT Kerberos

Eric Schwarz eric.schwarz.nrla at statefarm.com
Fri Mar 2 13:01:34 EST 2007


Hello,

We have a situation where we are trying to get AIX Kerberos to interoperate with Microsoft w2k3 AD 4-domain forest. The challenge is to get the krb5.conf configuration to allow for the SPN to be registered in an account that is not in the root domain of the forest. Example-

Forest-

Example.exm
Dom1.example.exm
Dom2.example.exm
SubDom.Dom2.example.exm

How do you configure the krb5.conf file to understand that the keytab file is coming from an account in Dom1.example.exm (SPN= http\web.example.com), yet the AIX machine should allow any Windows account from any of the domains in the forest to authenticate to the AIX machine? We believe it would have something to do with the [realms] and/or [capath] settings... but cannot get it configured to accept authentication from all domains unless the account with the target SPN is in the root domain and all sub-domains then share a contiguous name space. As son as we place the target SPN on a sub-domain account only users from that domain can authenticate... all other domains cannot.

Any help would be appreciated.

Thanks!

Eric Schwarz 
MCSE, MCT, Security+ 
Server/ Active Directory- Team Lead
Windows Security Services C01910 
Systems Technology 

phone-  (309) 763-2873 
mobile-  (309) 319-3238
email-    eric.schwarz.nrla at statefarm.com  
hpsd-    SERVER-WINSECURITY (WG2716) 
              WinSecurity Change Management (WG2811)





More information about the Kerberos mailing list