Multiple AD domains and MIT Kerberos

Markus Moeller huaraz at moeller.plus.com
Sat Mar 3 13:43:45 EST 2007 

"Eric Schwarz" <eric.schwarz.nrla at statefarm.com> wrote in message 
news:20253DF9635FD5438442BBC8397BBE7403F9D6B8 at WPSCV6NF.OPR.STATEFARM.ORG...
> Hello,
>
> We have a situation where we are trying to get AIX Kerberos to 
> interoperate with Microsoft w2k3 AD 4-domain forest. The challenge is to 
> get the krb5.conf configuration to allow for the SPN to be registered in 
> an account that is not in the root domain of the forest. Example-
>
> Forest-
>
> Example.exm
> Dom1.example.exm
> Dom2.example.exm
> SubDom.Dom2.example.exm
>
> How do you configure the krb5.conf file to understand that the keytab file 
> is coming from an account in Dom1.example.exm (SPN= http\web.example.com), 
> yet the AIX machine should allow any Windows account from any of the 
> domains in the forest to authenticate to the AIX machine? We believe it 
> would have something to do with the [realms] and/or [capath] settings... 
> but cannot get it configured to accept authentication from all domains 
> unless the account with the target SPN is in the root domain and all 
> sub-domains then share a contiguous name space. As son as we place the 
> target SPN on a sub-domain account only users from that domain can 
> authenticate... all other domains cannot.
>

In a Unix only environment you could do the following:
Use a second IP on the same interface on the host e.g.
192.168.1.1  web.example.exm
192.168.1.2  host.example.exm

krb5.conf would look like:
[libdefaults]
        default_realm = EXAMPLE.EXM
[realms]
        EXAMPLE.EXM = {
                auth_to_local = RULE:[1:$1@$0](.*@.*\.EXAMPLE.EXM$)s/@.*//
                auth_to_local = DEFAULT
        }
[domain_realm]
         .example.exm = EXAMPLE.EXM
         example.exm = EXAMPLE.EXM
         .dom1.example.exm = DOM1.EXAMPLE.EXM
         dom1.example.exm = DOM1.EXAMPLE.EXM
         .dom2.example.exm = DOM2.EXAMPLE.EXM
         dom2.example.exm = DOM2.EXAMPLE.EXM
         .subdom.dom2.example.exm = SUBDOM.DOM2.EXAMPLE.EXM
         subdom.dom2.example.exm = SUBDOM.DOM2.EXAMPLE.EXM
         web.example.exm = DOM1.EXAMPLE.EXM

Now when you do ssh host.example.exm you will use 
host/host.example.exm at EXAMPLE.EXM and when accessing the web server 
web.example.exm you will use HTTP/web.example.exm at DOM1.EXAMPLE.EXM

On windows this is (as far as I know) not possible. You can only "redirect" 
the queries for a domain not a host e.g.
netdom trust EXAMPLE.EXM /domain:DOM1.EXAMPLE.EXM /addtln:web.example.exm

A list should show:
netdom trust EXAMPLE.EXM /namesuffixes:DOM1.EXAMPLE.EXM
   Name, Type, Status, Notes
1. *.dom1.example.exm, Name Suffix, Enabled
1. *.web.example.exm, Name Suffix, Enabled

would mean you can have www1.web.example.exm and www2.web.example.exm in 
domain DOM1.EXAMPLE.EXM

> Any help would be appreciated.
>
> Thanks!
>

Regards
Markus

> Eric Schwarz
> MCSE, MCT, Security+
> Server/ Active Directory- Team Lead
> Windows Security Services C01910
> Systems Technology
>
> phone-  (309) 763-2873
> mobile-  (309) 319-3238
> email-    eric.schwarz.nrla at statefarm.com
> hpsd-    SERVER-WINSECURITY (WG2716)
>              WinSecurity Change Management (WG2811)
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list