KfW krb5.conf inclusions

Jeffrey Altman jaltman at secure-endpoints.com
Fri May 4 13:25:22 EDT 2007

David Bear wrote:
> I have been wondering about necessary inclusions in a krb5.conf file
> for use on a windows box that is ALSO joined and authenticating to AD.
> We have to kerb realms; an original MIT kerb5 realm, and a separate
> realm for AD. Our MIT realm is used to authentication users of afs.
> Our AD realm is used for ... things microsoft.
> Will KfW automagically handle obtaining tickets from the AD realm
> without having anything entries in the krb5.conf file? 
> I have entries for both realms currently and I consistently get an
> error from the NetId Manager that it failed to get tickets for our AD
> realm. However, when I look in the NetId Manager I do indeed see
> various tickes from our AD realm. I'm thinking that perhaps the
> additional entries in the krb5.con file are superflous.
> We do get tickets and afs tokens properly from our MIT realm which
> makes afs happy.
Does your NIM identity for the Windows principal have a configuration
stating it should obtain AFS tokens?   I bet that is what is failing.

KFW will use DNS SRV lookups to obtain the data for the Windows Active
Directory realm if you don't include them in the krb5.ini file.

Jeffrey Altman
Secure Endpoints Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070504/b3a16612/attachment.bin

More information about the Kerberos mailing list