Multiple realms in one krb5.conf
Douglas E. Engert
deengert at anl.gov
Mon Dec 15 11:52:29 EST 2008
James Chavez wrote:
> Hello list,
>
> I have a question that I need assistance with.
>
> I have a Windows 2003 AD setup.
> The forest consists of 3 domains.
> So the we will say the name is
> example.com and there are 3 domains.
>
> america.example.com
> asia.example.com
> europe.example.com
>
> Is it possible to configure the krb5.conf on a station so that kerberos
> can service login requests for each of the 3 domains?
Maybe, but it is not clear what you mean.
> Is this as simple as adding an entry for each realm in the realms
> section of the krb5.conf file.
That is part of it, although DNS could be used to find the realms.
You say logins, so I as assuming that the station is Unix based.
Login would use PAM with a pam_krb5, and the station above will
need to have a principal in one of the realms and a keytab
to match.
But if a user is in one AD doamin and the server is in a different
AD domain, this would be cross realm and the pam_krb5 would have
to so some additional checks.
Kerberos only does authentication you still need to authorize
the user to login.
Start here, as this gives the basic concepts:
http://technet.microsoft.com/en-us/library/bb742433.aspx
>
>
> Thank you
> James
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list