R: Multiple AD domains and MIT Kerberos
Jeffrey Altman
jaltman at secure-endpoints.com
Fri Mar 2 17:01:25 EST 2007
if the host name is host.example.com and the service principal is
http/host.example.com at SUBDOM.DOM2.EXAMPLE.COM then the domain realm
entry for host.example.com should be SUBDOM.DOM2.EXAMPLE.COM
Jeffrey Altman
Secure Endpoints Inc.
Eric Schwarz wrote:
> Hello,
>
> We have a situation where we are trying to get AIX Kerberos to interoperate with Microsoft w2k3 AD 4-domain forest. The challenge is to get the krb5.conf configuration to allow for the SPN to be registered in an account that is not in the root domain of the forest. Example-
>
> Forest-
>
> Example.exm
> Dom1.example.exm
> Dom2.example.exm
> SubDom.Dom2.example.exm
>
> How do you configure the krb5.conf file to understand that the keytab file is coming from an account in Dom1.example.exm (SPN= http\web.example.com), yet the AIX machine should allow any Windows account from any of the domains in the forest to authenticate to the AIX machine? We believe it would have something to do with the [realms] and/or [capath] settings... but cannot get it configured to accept authentication from all domains unless the account with the target SPN is in the root domain and all sub-domains then share a contiguous name space. As son as we place the target SPN on a sub-domain account only users from that domain can authenticate... all other domains cannot.
>
> Any help would be appreciated.
>
> Thanks!
>
> Eric Schwarz
> MCSE, MCT, Security+
> Server/ Active Directory- Team Lead
> Windows Security Services C01910
> Systems Technology
>
> phone- (309) 763-2873
> mobile- (309) 319-3238
> email- eric.schwarz.nrla at statefarm.com
> hpsd- SERVER-WINSECURITY (WG2716)
> WinSecurity Change Management (WG2811)
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070302/3c5db882/attachment.bin
More information about the Kerberos
mailing list