Multiple AD domains and MIT Kerberos
Markus Moeller
huaraz at moeller.plus.com
Sat Mar 3 13:43:45 EST 2007
"Eric Schwarz" <eric.schwarz.nrla at statefarm.com> wrote in message
news:20253DF9635FD5438442BBC8397BBE7403F9D6B8 at WPSCV6NF.OPR.STATEFARM.ORG...
> Hello,
>
> We have a situation where we are trying to get AIX Kerberos to
> interoperate with Microsoft w2k3 AD 4-domain forest. The challenge is to
> get the krb5.conf configuration to allow for the SPN to be registered in
> an account that is not in the root domain of the forest. Example-
>
> Forest-
>
> Example.exm
> Dom1.example.exm
> Dom2.example.exm
> SubDom.Dom2.example.exm
>
> How do you configure the krb5.conf file to understand that the keytab file
> is coming from an account in Dom1.example.exm (SPN= http\web.example.com),
> yet the AIX machine should allow any Windows account from any of the
> domains in the forest to authenticate to the AIX machine? We believe it
> would have something to do with the [realms] and/or [capath] settings...
> but cannot get it configured to accept authentication from all domains
> unless the account with the target SPN is in the root domain and all
> sub-domains then share a contiguous name space. As son as we place the
> target SPN on a sub-domain account only users from that domain can
> authenticate... all other domains cannot.
>
In a Unix only environment you could do the following:
Use a second IP on the same interface on the host e.g.
192.168.1.1 web.example.exm
192.168.1.2 host.example.exm
krb5.conf would look like:
[libdefaults]
default_realm = EXAMPLE.EXM
[realms]
EXAMPLE.EXM = {
auth_to_local = RULE:[1:$1@$0](.*@.*\.EXAMPLE.EXM$)s/@.*//
auth_to_local = DEFAULT
}
[domain_realm]
.example.exm = EXAMPLE.EXM
example.exm = EXAMPLE.EXM
.dom1.example.exm = DOM1.EXAMPLE.EXM
dom1.example.exm = DOM1.EXAMPLE.EXM
.dom2.example.exm = DOM2.EXAMPLE.EXM
dom2.example.exm = DOM2.EXAMPLE.EXM
.subdom.dom2.example.exm = SUBDOM.DOM2.EXAMPLE.EXM
subdom.dom2.example.exm = SUBDOM.DOM2.EXAMPLE.EXM
web.example.exm = DOM1.EXAMPLE.EXM
Now when you do ssh host.example.exm you will use
host/host.example.exm at EXAMPLE.EXM and when accessing the web server
web.example.exm you will use HTTP/web.example.exm at DOM1.EXAMPLE.EXM
On windows this is (as far as I know) not possible. You can only "redirect"
the queries for a domain not a host e.g.
netdom trust EXAMPLE.EXM /domain:DOM1.EXAMPLE.EXM /addtln:web.example.exm
A list should show:
netdom trust EXAMPLE.EXM /namesuffixes:DOM1.EXAMPLE.EXM
Name, Type, Status, Notes
1. *.dom1.example.exm, Name Suffix, Enabled
1. *.web.example.exm, Name Suffix, Enabled
would mean you can have www1.web.example.exm and www2.web.example.exm in
domain DOM1.EXAMPLE.EXM
> Any help would be appreciated.
>
> Thanks!
>
Regards
Markus
> Eric Schwarz
> MCSE, MCT, Security+
> Server/ Active Directory- Team Lead
> Windows Security Services C01910
> Systems Technology
>
> phone- (309) 763-2873
> mobile- (309) 319-3238
> email- eric.schwarz.nrla at statefarm.com
> hpsd- SERVER-WINSECURITY (WG2716)
> WinSecurity Change Management (WG2811)
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list