Joining a multiple realm AD environment
Douglas E. Engert
deengert at anl.gov
Fri May 18 16:58:46 EDT 2007
Chris Penney wrote:
> On 5/17/07, Douglas E. Engert <deengert at anl.gov> wrote:
>> Whoses pam_krb5? Russ Allbery's has some extra options that might
>> try both realms.
>
>
> On 5/17/07, Markus Moeller <huaraz at moeller.plus.com> wrote:
>> You need entries like (assuming that users are uniq over both domains
>> and you have more users in LOC1.DOM.COM)
>> other auth sufficient pam_krb5 REALM=LOC1.DOM.COM
>> other auth sufficient pam_krb5 REALM=LOC2.DOM.COM
Note that the LOC1.DOM.COM AD logs may show a lot of failures
for missing users or bad passwords, and may lock a user account.
>
> Ah! I see. I used the pam_krb5 that Douglas noted and the pam config
> lines you noted and it works basically as intended.
>
> Do you still have to do this even if you add the system to AD via a
> "User" account?
Microsoft used a mis-leading term when they said to add the machine as
a "user". You are adding a service principal for the machine into a
realm. With AD that also means it needs an account, which looks like
a "user" account, but in Kerberos terms has nothing to do with the user.
So each user must be registered with a principal and (AD account), and
each service must be registered with a principal and its own AD account).
If you have cross realm setup then each user only needs to be in one realm,
and each service only needs to be in one realm.
You did not indicate that you have cross realm set up. i.e. the ADs have
some cross domain trust. But if it works as intended, then it must.
A klist would show an extra TGT like krbtgt/LOC1.DOM.COM at LOC2.DOM.COM
>
> Thanks!
>
> Chris
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list