KfW krb5.conf inclusions

Douglas E. Engert deengert at anl.gov
Fri May 4 14:13:19 EDT 2007

David Bear wrote:
> I have been wondering about necessary inclusions in a krb5.conf file
> for use on a windows box that is ALSO joined and authenticating to AD.
> We have to kerb realms; an original MIT kerb5 realm, and a separate
> realm for AD.

Are the realm names different? If so do they do cross realm?

If they ues the same realm name, that could be a problem.
Are user names and passwords synced between them?
If so consider just using AD for the KDCs.

  Our MIT realm is used to authentication users of afs.
> Our AD realm is used for ... things microsoft.

Are you going to be at the AFS&Kerberos Best Practices next week?

> Will KfW automagically handle obtaining tickets from the AD realm
> without having anything entries in the krb5.conf file? 
> I have entries for both realms currently and I consistently get an
> error from the NetId Manager that it failed to get tickets for our AD
> realm. However, when I look in the NetId Manager I do indeed see
> various tickes from our AD realm. I'm thinking that perhaps the
> additional entries in the krb5.con file are superflous.
> We do get tickets and afs tokens properly from our MIT realm which
> makes afs happy.


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list