Joining a multiple realm AD environment
Chris Penney
penney at msu.edu
Sat May 19 09:26:47 EDT 2007
On 5/18/07, Douglas E. Engert <deengert at anl.gov> wrote:
>
> Chris Penney wrote:
> >
> > Ah! I see. I used the pam_krb5 that Douglas noted and the pam config
> > lines you noted and it works basically as intended.
> >
> > Do you still have to do this even if you add the system to AD via a
> > "User" account?
>
> Microsoft used a mis-leading term when they said to add the machine as
> a "user". You are adding a service principal for the machine into a
> realm. With AD that also means it needs an account, which looks like
> a "user" account, but in Kerberos terms has nothing to do with the user.
>
> So each user must be registered with a principal and (AD account), and
> each service must be registered with a principal and its own AD account).
>
> If you have cross realm setup then each user only needs to be in one realm,
> and each service only needs to be in one realm.
>
> You did not indicate that you have cross realm set up. i.e. the ADs have
> some cross domain trust. But if it works as intended, then it must.
> A klist would show an extra TGT like krbtgt/LOC1.DOM.COM at LOC2.DOM.COM
Yes, LOC1 and LOC2 trust each other, though I'm not clear that I'm
leveraging that. When I say working as intended it's probably
incorrect. I just mean that if I have an entry in the pam config file
for each realm all users can login simply because pam trys user at LOC1
then user at LOC2, etc.
Is this a normal way of handing this? Is setting up .k5login with
user at LOCx the best way to avoid iterating through all the realms?
Chris
More information about the Kerberos
mailing list