R: Multiple AD domains and MIT Kerberos

Eric Schwarz eric.schwarz.nrla at statefarm.com
Sat Mar 3 16:02:13 EST 2007


 Jeffrey,

After reading up a lot on this I would like to request your patience one
more time...

Based on the diagram I have attached, we have a user account in the
DOM1.EXAMPLE.COM domain of a forest you can see. That resource is
accessed via SPN http/webcontent.dom1.example.com at DOM1.EXAMPLE.COM. The
UNIX machines hosting the web content are also in the DOM1.EXAMPLE.COM
realm. Based on
http://www.faqs.org/faqs/kerberos-faq/general/section-48.html it appears
that I must define in the [capaths] section of the krb5.conf the
transitive trusts for the forest if I want users from any other AD
domain to be able to access the resource outside of DOM1.EXAMPLE.COM.
Thus I have tried to construct a krb5.conf file that would be
appropriate. Is this anywhere near correct?

[libdefaults]
        default_realm = DOM1.EXAMPLE.COM
        default_keytab_name = FILE:/etc/krb5/krb5.keytab
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc


[realms]
        EXAMPLE.COM = {
                kdc = dc23.EXAMPLE.COM:88
                admin_server = dc23.EXAMPLE.COM:749
                default_domain = EXAMPLE.COM

        }
        DOM1.EXAMPLE.COM= {
                kdc = dc72.DOM1.EXAMPLE.COM:88
                admin_server = dc72.DOM1.EXAMPLE.COM:749
                default_domain = DOM1.EXAMPLE.COM

        }
        DOM2.EXAMPLE.COM = {
                kdc = dc44.DOM2.EXAMPLE.COM:88
                admin_server = dc44.DOM2.EXAMPLE.COM:749
                default_domain = DOM2.EXAMPLE.COM

        }
        SUBDOM.DOM2.EXAMPLE.COM = {
                kdc = dc9.SUBDOM.DOM2.EXAMPLE.COM:88
                admin_server = dc9.SUBDOM.DOM2.EXAMPLE.COM:749
                default_domain = SUBDOM.DOM2.EXAMPLE.COM

        }

[domain_realm]
        .dom1.example.com = DOM1.EXAMPLE.COM

[logging]
        kdc = FILE:/var/krb5/log/krb5kdc.log
        admin_server = FILE:/var/krb5/log/kadmin.log
        default = FILE:/var/krb5/log/krb5lib.log

[capaths]
       EXAMPLE.COM = {
               DOM1.EXAMPLE.COM = .
               DOM2.EXAMPLE.COM = .
               SUBDOM.DOM2.EXAMPLE.COM = DOM2.EXAMPLE.COM
       }
       DOM1.EXAMPLE.COM = {
               EXAMPLE.COM = .
               DOM2.EXAMPLE.COM = EXAMPLE.COM
               SUBDOM.DOM2.EXAMPLE.COM = DOM2.EXAMPLE.COM
       }
       DOM2.EXAMPLE.COM = {
               EXAMPLE.COM = .
               DOM1.EXAMPLE.COM = .
               SUBDOM.DOM2.EXAMPLE.COM = .
       }
       SUBDOM.DOM2.EXAMPLE.COM = {
               DOM2.EXAMPLE.COM = .
               EXAMPLE.COM = DOM2.EXAMPLE.COM
               DOM1.EXAMPLE.COM = EXAMPLE.COM
       }


Thanks so much and again I appreciate the indulgence :)

Eric Schwarz 
MCSE, MCT, Security+ 
Server/ Active Directory- Team Lead
Windows Security Services C01910 
Systems Technology 

phone-  (309) 763-2873 
mobile-  (309) 319-3238
email-    eric.schwarz.nrla at statefarm.com  
hpsd-    SERVER-WINSECURITY (WG2716) 
              WinSecurity Change Management (WG2811)


-----Original Message-----
From: Eric Schwarz 
Sent: Saturday, March 03, 2007 5:36 AM
To: 'jaltman at secure-endpoints.com'
Cc: kerberos at mit.edu
Subject: RE: R: Multiple AD domains and MIT Kerberos

Jeffrey,

Thank you so much for replying!

Q. Would the [domain_realm] entry look like this-

	[domain_realm]
        	host.example.com = SUBDOM.DOM2.EXAMPLE.COM

Is this correct?
-----------------------------------------

Q. Is there any need to map any of the other AD domain names within
[domain_realm]? There is only a single resource SPN being accessed in
this case and it is host.example.com.

-----------------------------------------

Q. In this scenario then the UNIX machine would be in the
SUBDOM.DOM2.EXAMPLE.COM AD domain and that is listed under the 

	[libdefaults]
        	default_realm = SUBDOM.DOM2.EXAMPLE.COM

Is this correct?
-----------------------------------------

Q. So in this example there is no need for a [capath] entry? 

-----------------------------------------

Q. Is there any need to list any KDC for any realms/ domains outside of
SUBDOM.DOM2.EXAMPLE.COM in the [realms] section?

-----------------------------------------
With this in place, a user account located in any of the four domains
should be able to access http://host.example.com based on the SPN
http/host.example.com being registered on the account in the
SUBDOM.DOM2.EXAMPLE.COM AD domain? 

Is this correct?

-----------------------------------------

I cannot express enough gratitude for the assistance!

Eric Schwarz 
MCSE, MCT, Security+ 
Server/ Active Directory- Team Lead
Windows Security Services C01910 
Systems Technology 

phone-  (309) 763-2873 
mobile-  (309) 319-3238
email-    eric.schwarz.nrla at statefarm.com  
hpsd-    SERVER-WINSECURITY (WG2716) 
              WinSecurity Change Management (WG2811)


-----Original Message-----
From: Jeffrey Altman [mailto:jaltman at secure-endpoints.com] 
Sent: Friday, March 02, 2007 4:01 PM
To: Eric Schwarz
Cc: kerberos at mit.edu
Subject: Re: R: Multiple AD domains and MIT Kerberos

if the host name is host.example.com and the service principal is
http/host.example.com at SUBDOM.DOM2.EXAMPLE.COM then the domain realm
entry for host.example.com should be SUBDOM.DOM2.EXAMPLE.COM

Jeffrey Altman
Secure Endpoints Inc.


Eric Schwarz wrote:
> Hello,
>
> We have a situation where we are trying to get AIX Kerberos to
interoperate with Microsoft w2k3 AD 4-domain forest. The challenge is to
get the krb5.conf configuration to allow for the SPN to be registered in
an account that is not in the root domain of the forest. Example-
>
> Forest-
>
> Example.exm
> Dom1.example.exm
> Dom2.example.exm
> SubDom.Dom2.example.exm
>
> How do you configure the krb5.conf file to understand that the keytab
file is coming from an account in Dom1.example.exm (SPN=
http\web.example.com), yet the AIX machine should allow any Windows
account from any of the domains in the forest to authenticate to the AIX
machine? We believe it would have something to do with the [realms]
and/or [capath] settings... but cannot get it configured to accept
authentication from all domains unless the account with the target SPN
is in the root domain and all sub-domains then share a contiguous name
space. As son as we place the target SPN on a sub-domain account only
users from that domain can authenticate... all other domains cannot.
>
> Any help would be appreciated.
>
> Thanks!
>
> Eric Schwarz 
> MCSE, MCT, Security+ 
> Server/ Active Directory- Team Lead
> Windows Security Services C01910 
> Systems Technology 
>
> phone-  (309) 763-2873 
> mobile-  (309) 319-3238
> email-    eric.schwarz.nrla at statefarm.com  
> hpsd-    SERVER-WINSECURITY (WG2716) 
>               WinSecurity Change Management (WG2811)
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


More information about the Kerberos mailing list