R: Multiple AD domains and MIT Kerberos

Jeffrey Altman jaltman at secure-endpoints.com
Fri Mar 2 17:01:25 EST 2007


if the host name is host.example.com and the service principal is
http/host.example.com at SUBDOM.DOM2.EXAMPLE.COM then the domain realm
entry for host.example.com should be SUBDOM.DOM2.EXAMPLE.COM

Jeffrey Altman
Secure Endpoints Inc.


Eric Schwarz wrote:
> Hello,
>
> We have a situation where we are trying to get AIX Kerberos to interoperate with Microsoft w2k3 AD 4-domain forest. The challenge is to get the krb5.conf configuration to allow for the SPN to be registered in an account that is not in the root domain of the forest. Example-
>
> Forest-
>
> Example.exm
> Dom1.example.exm
> Dom2.example.exm
> SubDom.Dom2.example.exm
>
> How do you configure the krb5.conf file to understand that the keytab file is coming from an account in Dom1.example.exm (SPN= http\web.example.com), yet the AIX machine should allow any Windows account from any of the domains in the forest to authenticate to the AIX machine? We believe it would have something to do with the [realms] and/or [capath] settings... but cannot get it configured to accept authentication from all domains unless the account with the target SPN is in the root domain and all sub-domains then share a contiguous name space. As son as we place the target SPN on a sub-domain account only users from that domain can authenticate... all other domains cannot.
>
> Any help would be appreciated.
>
> Thanks!
>
> Eric Schwarz 
> MCSE, MCT, Security+ 
> Server/ Active Directory- Team Lead
> Windows Security Services C01910 
> Systems Technology 
>
> phone-  (309) 763-2873 
> mobile-  (309) 319-3238
> email-    eric.schwarz.nrla at statefarm.com  
> hpsd-    SERVER-WINSECURITY (WG2716) 
>               WinSecurity Change Management (WG2811)
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070302/3c5db882/attachment.bin


More information about the Kerberos mailing list