Kerberos authetication against multiple Windows Domains

Markus Moeller huaraz at moeller.plus.com
Wed Mar 25 17:51:24 EDT 2009


"Earl, Kevan C" <Kevan.Earl at astrazeneca.com> wrote in message 
news:3154FEBCFB92804DA39A2560E171837604CD7FBF at ukaprdembx02.rd.astrazeneca.net...
> Hello Markus,
>
> Thank you for this advice.  I shall try out your suggestion.
>
> When I run kinit -V us_domain_uid at EU.COMPANY.NET I get the message:
>

Mustn't that be kinit -V us_domain_uid at US.COMPANY.NET  ?

> kinit(v5): Client not found in Kerberos database while getting initial 
> credentials
>
> while kinit -V eu_domain_uid at EU.COMPANY.NET prompts for password.
>
> I understood that there were trusts between the domains, but this looks 
> like there isn't.

The kinit of a user has nothing to do with trust.

>
> Regards,
> Kevan Earl
>
>
>
> --------------------------------------------------------------------------
> AstraZeneca UK Limited is a company incorporated in England and Wales with 
> registered number: 03674842 and a registered office at 15 Stanhope Gate, 
> London W1K 1LN.
> Confidentiality Notice: This message is private and may contain 
> confidential, proprietary and legally privileged information. If you have 
> received this message in error, please notify us and remove it from your 
> system and note that you must not copy, distribute or take any action in 
> reliance on it. Any unauthorised use or disclosure of the contents of this 
> message is not permitted and may be unlawful.
> Disclaimer: Email messages may be subject to delays, interception, 
> non-delivery and unauthorised alterations. Therefore, information 
> expressed in this message is not given or endorsed by AstraZeneca UK 
> Limited unless otherwise notified by an authorised representative 
> independent of this message. No contractual relationship is created by 
> this message by any person unless specifically indicated by agreement in 
> writing other than email.
> Monitoring: AstraZeneca UK Limited may monitor email traffic data and 
> content for the purposes of the prevention and detection of crime, 
> ensuring the security of our computer systems and checking Compliance with 
> our Code of Conduct and Policies.
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu]On
> Behalf Of Markus Moeller
> Sent: 25 March 2009 00:04
> To: kerberos at mit.edu
> Subject: Re: Kerberos authetication against multiple Windows Domains
>
>
>
> "Earl, Kevan C" <Kevan.Earl at astrazeneca.com> wrote in message
> news:3154FEBCFB92804DA39A2560E17183760341FE80 at ukaprdembx02.rd.astrazeneca.net...
>> Hello,
>>
>> I'm after some advice on how to configure Kerberos v5 to authenticate
>> users from different Windows domains to the same Apache hosted
>> application.  Is this possible?  If so, is there a simple guide on what
>> needs to be done in order to achieve it that can be shared with me?
>>
>> I have Kerberos v5 installed with a Kerberos-capable version of Apache on
>> AIX 5.3.
>> I have had a keytab file generated in the Windows "EU" domain, and have
>> configured the server so the application authenticates users from the 
>> "EU"
>> domain.
>>
>> /etc/krb5.conf is similar to:
>>
>> [libdefaults]
>>        default_realm = EU.COMPANY.NET
>>
>> [realms]
>>        EU.COMPANY.NET = {
>>                kdc = eudc01.eu.company.net
>>                admin_server = eudc01.eu.company.net
>>                default_domain = eu.company.net
>>                }
>>
>> [domain_realm]
>>        .svr_domain.company.net = EU.COMPANY.NET
>>        svr_domain.company.net = EU.COMPANY.NET
>>
>> What do I need to do in order to also authenticate users from the
>> companies "US" domain, which is controlled by separate domain
>> controller(s), to the application?
>>
>
> If the domains have a trust you son't need to do anything. If they don't
> have trust then you need to create a second keytab entry for the host in 
> the
> US DC with a sceond DNS name.
>
> e.g. In the EU domain the server is server.eu.company.net with a key
> HTTP/server.eu.company.net at EU.COMPANY.NET in eudc01 and in the US domain 
> the
> sever is server.us.company.net with a key
> HTTP/server.us.company.net at US.COMPANY.NET in usdc01.
>
> Merge both keys in one keytab for apache and configure the apache 
> kerbereos
> module to accept all names (I think it is KrbServiceName Any  in
> mod-auth-kerb)
>
>
>> Any help anyone can give me would be very greatfully received.
>>
>> Regards,
>> Kevan Earl
>>
>
> Regards
> Markus
>>
>> --------------------------------------------------------------------------
>> AstraZeneca UK Limited is a company incorporated in England and Wales 
>> with
>> registered number: 03674842 and a registered office at 15 Stanhope Gate,
>> London W1K 1LN.
>> Confidentiality Notice: This message is private and may contain
>> confidential, proprietary and legally privileged information. If you have
>> received this message in error, please notify us and remove it from your
>> system and note that you must not copy, distribute or take any action in
>> reliance on it. Any unauthorised use or disclosure of the contents of 
>> this
>> message is not permitted and may be unlawful.
>> Disclaimer: Email messages may be subject to delays, interception,
>> non-delivery and unauthorised alterations. Therefore, information
>> expressed in this message is not given or endorsed by AstraZeneca UK
>> Limited unless otherwise notified by an authorised representative
>> independent of this message. No contractual relationship is created by
>> this message by any person unless specifically indicated by agreement in
>> writing other than email.
>> Monitoring: AstraZeneca UK Limited may monitor email traffic data and
>> content for the purposes of the prevention and detection of crime,
>> ensuring the security of our computer systems and checking Compliance 
>> with
>> our Code of Conduct and Policies.
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 





More information about the Kerberos mailing list