Multiple AD domains and MIT Kerberos
Markus Moeller
huaraz at moeller.plus.com
Sat Mar 3 14:02:28 EST 2007
BTW in you server code you have to use GSS_C_NO_NAME as desired name in
gss_acquire_cred or use GSS_C_NULL_OID in gss_import with
HTTP/web.example.exm at DOM1.EXAMPLE.EXM as input
Regards
Markus
"Markus Moeller" <huaraz at moeller.plus.com> wrote in message
news:escflf$r0l$1 at sea.gmane.org...
>
> "Eric Schwarz" <eric.schwarz.nrla at statefarm.com> wrote in message
> news:20253DF9635FD5438442BBC8397BBE7403F9D6B8 at WPSCV6NF.OPR.STATEFARM.ORG...
>> Hello,
>>
>> We have a situation where we are trying to get AIX Kerberos to
>> interoperate with Microsoft w2k3 AD 4-domain forest. The challenge is to
>> get the krb5.conf configuration to allow for the SPN to be registered in
>> an account that is not in the root domain of the forest. Example-
>>
>> Forest-
>>
>> Example.exm
>> Dom1.example.exm
>> Dom2.example.exm
>> SubDom.Dom2.example.exm
>>
>> How do you configure the krb5.conf file to understand that the keytab
>> file is coming from an account in Dom1.example.exm (SPN=
>> http\web.example.com), yet the AIX machine should allow any Windows
>> account from any of the domains in the forest to authenticate to the AIX
>> machine? We believe it would have something to do with the [realms]
>> and/or [capath] settings... but cannot get it configured to accept
>> authentication from all domains unless the account with the target SPN is
>> in the root domain and all sub-domains then share a contiguous name
>> space. As son as we place the target SPN on a sub-domain account only
>> users from that domain can authenticate... all other domains cannot.
>>
>
> In a Unix only environment you could do the following:
> Use a second IP on the same interface on the host e.g.
> 192.168.1.1 web.example.exm
> 192.168.1.2 host.example.exm
>
> krb5.conf would look like:
> [libdefaults]
> default_realm = EXAMPLE.EXM
> [realms]
> EXAMPLE.EXM = {
> auth_to_local = RULE:[1:$1@$0](.*@.*\.EXAMPLE.EXM$)s/@.*//
> auth_to_local = DEFAULT
> }
> [domain_realm]
> .example.exm = EXAMPLE.EXM
> example.exm = EXAMPLE.EXM
> .dom1.example.exm = DOM1.EXAMPLE.EXM
> dom1.example.exm = DOM1.EXAMPLE.EXM
> .dom2.example.exm = DOM2.EXAMPLE.EXM
> dom2.example.exm = DOM2.EXAMPLE.EXM
> .subdom.dom2.example.exm = SUBDOM.DOM2.EXAMPLE.EXM
> subdom.dom2.example.exm = SUBDOM.DOM2.EXAMPLE.EXM
> web.example.exm = DOM1.EXAMPLE.EXM
>
> Now when you do ssh host.example.exm you will use
> host/host.example.exm at EXAMPLE.EXM and when accessing the web server
> web.example.exm you will use HTTP/web.example.exm at DOM1.EXAMPLE.EXM
>
> On windows this is (as far as I know) not possible. You can only
> "redirect" the queries for a domain not a host e.g.
> netdom trust EXAMPLE.EXM /domain:DOM1.EXAMPLE.EXM /addtln:web.example.exm
>
> A list should show:
> netdom trust EXAMPLE.EXM /namesuffixes:DOM1.EXAMPLE.EXM
> Name, Type, Status, Notes
> 1. *.dom1.example.exm, Name Suffix, Enabled
> 1. *.web.example.exm, Name Suffix, Enabled
>
> would mean you can have www1.web.example.exm and www2.web.example.exm in
> domain DOM1.EXAMPLE.EXM
>
>> Any help would be appreciated.
>>
>> Thanks!
>>
>
> Regards
> Markus
>
>> Eric Schwarz
>> MCSE, MCT, Security+
>> Server/ Active Directory- Team Lead
>> Windows Security Services C01910
>> Systems Technology
>>
>> phone- (309) 763-2873
>> mobile- (309) 319-3238
>> email- eric.schwarz.nrla at statefarm.com
>> hpsd- SERVER-WINSECURITY (WG2716)
>> WinSecurity Change Management (WG2811)
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list