Joining a multiple realm AD environment
Chris Penney
penney at msu.edu
Fri May 11 10:19:24 EDT 2007
Hello,
At our site we have multiple AD realms (LOC1.DOM.COM, LOC2.DOM.COM,
etc.) that all trust each other. There are users setup in each realm
that need to access the Linux systems I maintain. Today, we have a
completely independent realm (with our own principle for each user)
that I want to do away with and just join the AD structure (ie. be
assimilated ;) ).
I have proven that with krb5-1.5.3 I can set my default realm to
LOC1.DOM.COM and effectively login (my account is in LOC1). Users
from other realms cannot. I'm curious what I need to do to make this
work. We have SRV records setup for kdc lookup. I have not yet
created a computer account for the system. In /etc/krb5.conf I have:
[libdefaults]
default_realm = LOC1.DOM.COM
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
[realms]
LOC1.DOM.COM = {
auth_to_local = RULE:[1:$1@$0](.*@LOC2\.DOM\.COM)s/@.*//
auth_to_local = DEFAULT
}
LOC2.DOM.COM = {
auth_to_local = RULE:[1:$1@$0](.*@LOC1\.DOM\.COM)s/@.*//
auth_to_local = DEFAULT
}
This doesn't seem to work. Using 'tcpdump port kerberos' when a user
in LOC2 logs in I only see LOC1 being queried. I'm curious if I'm
doing something wrong or if I simply need to get a computer account
created for the box before trusts work. I was hopeing to not approach
the AD staff until I was more or less certain I knew what needed to be
done.
Thanks,
Chris
More information about the Kerberos
mailing list