Trust between AD and MIT Kerberos

Mikkel Kruse Johnsen mikkel at linet.dk
Tue Sep 22 04:53:40 EDT 2009


Hi All

I have a trust between my Windows 2003 AD (HHK.DK) and my RHEL5 MIT
Kerberos (CBS.DK).

On the Windows machines I have:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK
    KdcNames: kdc1.cbs.dk kdc2.cbs.dk


Adding "HTTP/od.cbs.dk at CBS.DK" to my CBS.DK and using mod_auth_kerb in
Apache. SSO worked on both Windows and Linux clients with HHK.DK tokens.

In my log file "/var/log/krb5kdc.log" I could see that a lot of request
came from windows machines.


Now the IT department created a UPN suffix on the AD called CBS.DK and
SSO stopped working on Windows clients. The request in
"/var/log/krb5kdc.log" stopped.

We removing the UPN suffix from the AD, but Windows clients is not
working and the request to "/var/log/krb5kdc.log" do not happen anymore.
Everything is fine on Linux.

It seems that Windows clients no longer uses the "HKLM\SYSTEM
\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK" in the reg.

Have been searching the net for month now. Anyone has any ideas what is
wrong ?

Is there a way to map domain to realms in Windows like [domain_realm] in
krb5.conf ?


Med Venlig Hilsen / Kind Regards




Mikkel Kruse
Johnsen
Adm.Dir.

Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark

Work:    +45
21287793
Mobile: +45
21287793
Email:
mikkel at linet.dk
IM:
mikkel at linet.dk
(MSN)
 Professional
Profile
Healthcare 


Network
Consultant 




More information about the Kerberos mailing list