R: Multiple AD domains and MIT Kerberos

Eric Schwarz eric.schwarz.nrla at statefarm.com
Sat Mar 3 06:36:24 EST 2007 

Jeffrey,

Thank you so much for replying!

Q. Would the [domain_realm] entry look like this-

	[domain_realm]
        	host.example.com = SUBDOM.DOM2.EXAMPLE.COM

Is this correct?
-----------------------------------------

Q. Is there any need to map any of the other AD domain names within
[domain_realm]? There is only a single resource SPN being accessed in
this case and it is host.example.com.

-----------------------------------------

Q. In this scenario then the UNIX machine would be in the
SUBDOM.DOM2.EXAMPLE.COM AD domain and that is listed under the 

	[libdefaults]
        	default_realm = SUBDOM.DOM2.EXAMPLE.COM

Is this correct?
-----------------------------------------

Q. So in this example there is no need for a [capath] entry? 

-----------------------------------------

Q. Is there any need to list any KDC for any realms/ domains outside of
SUBDOM.DOM2.EXAMPLE.COM in the [realms] section?

-----------------------------------------
With this in place, a user account located in any of the four domains
should be able to access http://host.example.com based on the SPN
http/host.example.com being registered on the account in the
SUBDOM.DOM2.EXAMPLE.COM AD domain? 

Is this correct?

-----------------------------------------

I cannot express enough gratitude for the assistance!

Eric Schwarz 
MCSE, MCT, Security+ 
Server/ Active Directory- Team Lead
Windows Security Services C01910 
Systems Technology 

phone-  (309) 763-2873 
mobile-  (309) 319-3238
email-    eric.schwarz.nrla at statefarm.com  
hpsd-    SERVER-WINSECURITY (WG2716) 
              WinSecurity Change Management (WG2811)


-----Original Message-----
From: Jeffrey Altman [mailto:jaltman at secure-endpoints.com] 
Sent: Friday, March 02, 2007 4:01 PM
To: Eric Schwarz
Cc: kerberos at mit.edu
Subject: Re: R: Multiple AD domains and MIT Kerberos

if the host name is host.example.com and the service principal is
http/host.example.com at SUBDOM.DOM2.EXAMPLE.COM then the domain realm
entry for host.example.com should be SUBDOM.DOM2.EXAMPLE.COM

Jeffrey Altman
Secure Endpoints Inc.


Eric Schwarz wrote:
> Hello,
>
> We have a situation where we are trying to get AIX Kerberos to
interoperate with Microsoft w2k3 AD 4-domain forest. The challenge is to
get the krb5.conf configuration to allow for the SPN to be registered in
an account that is not in the root domain of the forest. Example-
>
> Forest-
>
> Example.exm
> Dom1.example.exm
> Dom2.example.exm
> SubDom.Dom2.example.exm
>
> How do you configure the krb5.conf file to understand that the keytab
file is coming from an account in Dom1.example.exm (SPN=
http\web.example.com), yet the AIX machine should allow any Windows
account from any of the domains in the forest to authenticate to the AIX
machine? We believe it would have something to do with the [realms]
and/or [capath] settings... but cannot get it configured to accept
authentication from all domains unless the account with the target SPN
is in the root domain and all sub-domains then share a contiguous name
space. As son as we place the target SPN on a sub-domain account only
users from that domain can authenticate... all other domains cannot.
>
> Any help would be appreciated.
>
> Thanks!
>
> Eric Schwarz 
> MCSE, MCT, Security+ 
> Server/ Active Directory- Team Lead
> Windows Security Services C01910 
> Systems Technology 
>
> phone-  (309) 763-2873 
> mobile-  (309) 319-3238
> email-    eric.schwarz.nrla at statefarm.com  
> hpsd-    SERVER-WINSECURITY (WG2716) 
>               WinSecurity Change Management (WG2811)
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list