Multiple AD domains and MIT Kerberos

Markus Moeller huaraz at moeller.plus.com
Sat Mar 3 14:02:28 EST 2007


BTW in you server code you have to use GSS_C_NO_NAME as desired name in 
gss_acquire_cred or use GSS_C_NULL_OID in gss_import with 
HTTP/web.example.exm at DOM1.EXAMPLE.EXM as input

Regards
Markus

"Markus Moeller" <huaraz at moeller.plus.com> wrote in message 
news:escflf$r0l$1 at sea.gmane.org...
>
> "Eric Schwarz" <eric.schwarz.nrla at statefarm.com> wrote in message 
> news:20253DF9635FD5438442BBC8397BBE7403F9D6B8 at WPSCV6NF.OPR.STATEFARM.ORG...
>> Hello,
>>
>> We have a situation where we are trying to get AIX Kerberos to 
>> interoperate with Microsoft w2k3 AD 4-domain forest. The challenge is to 
>> get the krb5.conf configuration to allow for the SPN to be registered in 
>> an account that is not in the root domain of the forest. Example-
>>
>> Forest-
>>
>> Example.exm
>> Dom1.example.exm
>> Dom2.example.exm
>> SubDom.Dom2.example.exm
>>
>> How do you configure the krb5.conf file to understand that the keytab 
>> file is coming from an account in Dom1.example.exm (SPN= 
>> http\web.example.com), yet the AIX machine should allow any Windows 
>> account from any of the domains in the forest to authenticate to the AIX 
>> machine? We believe it would have something to do with the [realms] 
>> and/or [capath] settings... but cannot get it configured to accept 
>> authentication from all domains unless the account with the target SPN is 
>> in the root domain and all sub-domains then share a contiguous name 
>> space. As son as we place the target SPN on a sub-domain account only 
>> users from that domain can authenticate... all other domains cannot.
>>
>
> In a Unix only environment you could do the following:
> Use a second IP on the same interface on the host e.g.
> 192.168.1.1  web.example.exm
> 192.168.1.2  host.example.exm
>
> krb5.conf would look like:
> [libdefaults]
>        default_realm = EXAMPLE.EXM
> [realms]
>        EXAMPLE.EXM = {
>                auth_to_local = RULE:[1:$1@$0](.*@.*\.EXAMPLE.EXM$)s/@.*//
>                auth_to_local = DEFAULT
>        }
> [domain_realm]
>         .example.exm = EXAMPLE.EXM
>         example.exm = EXAMPLE.EXM
>         .dom1.example.exm = DOM1.EXAMPLE.EXM
>         dom1.example.exm = DOM1.EXAMPLE.EXM
>         .dom2.example.exm = DOM2.EXAMPLE.EXM
>         dom2.example.exm = DOM2.EXAMPLE.EXM
>         .subdom.dom2.example.exm = SUBDOM.DOM2.EXAMPLE.EXM
>         subdom.dom2.example.exm = SUBDOM.DOM2.EXAMPLE.EXM
>         web.example.exm = DOM1.EXAMPLE.EXM
>
> Now when you do ssh host.example.exm you will use 
> host/host.example.exm at EXAMPLE.EXM and when accessing the web server 
> web.example.exm you will use HTTP/web.example.exm at DOM1.EXAMPLE.EXM
>
> On windows this is (as far as I know) not possible. You can only 
> "redirect" the queries for a domain not a host e.g.
> netdom trust EXAMPLE.EXM /domain:DOM1.EXAMPLE.EXM /addtln:web.example.exm
>
> A list should show:
> netdom trust EXAMPLE.EXM /namesuffixes:DOM1.EXAMPLE.EXM
>   Name, Type, Status, Notes
> 1. *.dom1.example.exm, Name Suffix, Enabled
> 1. *.web.example.exm, Name Suffix, Enabled
>
> would mean you can have www1.web.example.exm and www2.web.example.exm in 
> domain DOM1.EXAMPLE.EXM
>
>> Any help would be appreciated.
>>
>> Thanks!
>>
>
> Regards
> Markus
>
>> Eric Schwarz
>> MCSE, MCT, Security+
>> Server/ Active Directory- Team Lead
>> Windows Security Services C01910
>> Systems Technology
>>
>> phone-  (309) 763-2873
>> mobile-  (309) 319-3238
>> email-    eric.schwarz.nrla at statefarm.com
>> hpsd-    SERVER-WINSECURITY (WG2716)
>>              WinSecurity Change Management (WG2811)
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list