cross domain trusts

Montenegro, Michael H (Michael) mhm4 at alcatel-lucent.com
Mon Apr 28 17:31:09 EDT 2008 

I have a question regarding trusted AD domains (realms) with
mod_auth_kerb v5.3. I have reviewed the auth_mod_kerb site and checked
various forums but I couldn't locate a solution.

 

My environment:

Multiple Windows 2003 SP1 AD domains that are trusted between them.

MIT Kerberos 1.6.3

Apache 2.0.59

Mod_auth_kerb v5.3

 

The domain abc.domain.com has the HTTP service principle and I can
authenticate successfully all AD users in the abc.domain.com using a web
site protected by mod_auth_kerb. 

 

The problem is when a user in another domain, example xyz.domain.com
tries to access the site they are prompted with a login screen.

 

The apache log only shows:

[Fri Apr 25 12:28:41 2008] [debug] src/mod_auth_kerb.c(1485): [client
xxx.xxx.x.x] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos

 

However a successful connection to abc.domain.com shows:

[Fri Apr 25 12:28:50 2008] [debug] src/mod_auth_kerb.c(1485): [client
xxx.xxx.x.x] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos

[Fri Apr 25 12:28:50 2008] [debug] src/mod_auth_kerb.c(1485): [client
xxx.xxx.x.x] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos

[Fri Apr 25 12:28:50 2008] [debug] src/mod_auth_kerb.c(1172): [client
xxx.xxx.x.x] Acquiring creds for
HTTP/webserver.domain.com at ABC.DOMAIN.COM

[Fri Apr 25 12:28:50 2008] [debug] src/mod_auth_kerb.c(1316): [client
xxx.xxx.x.x] Verifying client data using KRB5 GSS-API

[Fri Apr 25 12:28:50 2008] [debug] src/mod_auth_kerb.c(1332): [client
xxx.xxx.x.x] Verification returned code 0

[Fri Apr 25 12:28:50 2008] [debug] src/mod_auth_kerb.c(1350): [client
xxx.xxx.x.x] GSS-API token of length 161 bytes will be sent back

 

 

My .htaccess:

AuthType Kerberos

AuthName "Kerberos Login"

KrbServiceName HTTP/webserver.domain.com at ABC.DOMAIN.COM

KrbMethodNegotiate on

KrbMethodK5Passwd on

KrbVerifyKDC on

Krb5Keytab /etc/krb5.keytab

KrbAuthRealms ABC.DOMAIN.COM XYZ.DOMAIN.COM

require valid-user

 

My /etc/krb5.conf:

[libdefaults]

 default_realm = ABC.DOMAIN.COM

 ticket_lifetime = 24000

 dns_lookup_realm = true

 dns_lookup_kdc = true

 

[realms]

 ABC.DOMAIN.COM = {

  kdc = ad1.abc.domain.com.:88

  kdc = ad1.abc.domain.com.:88

  admin_server = ad1.abc.domain.com.:464

  default_domain = abc.domain.com

 }

 

 XYZ.DOMAIN.COM = {

  kdc = ad1.xyz.domain.com.:88

  kdc = ad1.xyz.domain.com.:88

  admin_server = ad1.xyz.domain.com.:464

  default_domain = xyz.domain.com

 }

 

 

[domain_realm]

 .ad1.abc.domain.com = ABC.DOMAIN.COM

 ad1.abc.domain.com = ABC.DOMAIN.COM

 .ad1.xyz.domain.com = XYZ.DOMAIN.COM

 ad1.xyz.domain.com = XYZ.DOMAIN.COM

 

 

ON the webserver:

I can successfully  kinit user1 at XYZ.DOMAIN.COM

I can successfully kinit user2 at ABC.DOMAIN.COM

 

Do I need to have a HTTP service principle created on each AD domain? I
have also set the delegation on the AD service principle account to
"Trust this user for delegation to any service (Kerberos Only)"

The trust I have on the ABC.DOMAIN.COM is "Domains trusted by this
domain" :

Domain Name          Trust type   Transitive

XYZ.DOMAIN.COM  External      NO

 

Any help is greatly appreciated,

Michael

More information about the Kerberos mailing list