KfW krb5.conf inclusions

David Bear David.Bear at asu.edu
Fri May 4 14:07:04 EDT 2007

On Fri, May 04, 2007 at 01:25:22PM -0400, Jeffrey Altman wrote:
> David Bear wrote:
> > I have been wondering about necessary inclusions in a krb5.conf file
> > for use on a windows box that is ALSO joined and authenticating to AD.
> >
> > We have to kerb realms; an original MIT kerb5 realm, and a separate
> > realm for AD. Our MIT realm is used to authentication users of afs.
> > Our AD realm is used for ... things microsoft.
> >
> > Will KfW automagically handle obtaining tickets from the AD realm
> > without having anything entries in the krb5.conf file? 
> >
> > I have entries for both realms currently and I consistently get an
> > error from the NetId Manager that it failed to get tickets for our AD
> > realm. However, when I look in the NetId Manager I do indeed see
> > various tickes from our AD realm. I'm thinking that perhaps the
> > additional entries in the krb5.con file are superflous.
> >
> > We do get tickets and afs tokens properly from our MIT realm which
> > makes afs happy.
> Does your NIM identity for the Windows principal have a configuration
> stating it should obtain AFS tokens?   I bet that is what is failing.

I don't know what a NIM identity is or how to check for it. Any

I do know there is a cross realm trust from our AD domain to our MIT
realm. (please note when I speak of MIT realm, its NOT MIT -- its
just a true MIT based kerb realm)

> KFW will use DNS SRV lookups to obtain the data for the Windows Active
> Directory realm if you don't include them in the krb5.ini file.

I have verified that we use dsn records for our afs servers.

> Jeffrey Altman
> Secure Endpoints Inc.

David Bear
phone: 	602-496-0424
fax: 	602-496-0955
College of Public Programs/ASU
University Center Rm 622
411 N Central
Phoenix, AZ 85007-0685
 "Beware the IP portfolio, everyone will be suspect of trespassing"

More information about the Kerberos mailing list