Trust between AD and MIT Kerberos
Markus Moeller
huaraz at moeller.plus.com
Tue Sep 22 16:48:01 EDT 2009
Do you look for something like ?
netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home
This tells the w2k3 domain WINDOWS2003.HOME that hosts with in the domain
suse.home belong to the MIT domain SUSE.HOME
Markus
"Mikkel Kruse Johnsen" <mikkel at linet.dk> wrote in message
news:mailman.20.1253609653.18120.kerberos at mit.edu...
> Hi All
>
> I have a trust between my Windows 2003 AD (HHK.DK) and my RHEL5 MIT
> Kerberos (CBS.DK).
>
> On the Windows machines I have:
>
> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK
> KdcNames: kdc1.cbs.dk kdc2.cbs.dk
>
>
> Adding "HTTP/od.cbs.dk at CBS.DK" to my CBS.DK and using mod_auth_kerb in
> Apache. SSO worked on both Windows and Linux clients with HHK.DK tokens.
>
> In my log file "/var/log/krb5kdc.log" I could see that a lot of request
> came from windows machines.
>
>
> Now the IT department created a UPN suffix on the AD called CBS.DK and
> SSO stopped working on Windows clients. The request in
> "/var/log/krb5kdc.log" stopped.
>
> We removing the UPN suffix from the AD, but Windows clients is not
> working and the request to "/var/log/krb5kdc.log" do not happen anymore.
> Everything is fine on Linux.
>
> It seems that Windows clients no longer uses the "HKLM\SYSTEM
> \CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK" in the reg.
>
> Have been searching the net for month now. Anyone has any ideas what is
> wrong ?
>
> Is there a way to map domain to realms in Windows like [domain_realm] in
> krb5.conf ?
>
>
> Med Venlig Hilsen / Kind Regards
>
>
>
>
> Mikkel Kruse
> Johnsen
> Adm.Dir.
>
> Linet
> Ørholmgade 6 st tv
> Copenhagen N 2200
> Denmark
>
> Work: +45
> 21287793
> Mobile: +45
> 21287793
> Email:
> mikkel at linet.dk
> IM:
> mikkel at linet.dk
> (MSN)
> Professional
> Profile
> Healthcare
>
>
> Network
> Consultant
>
More information about the Kerberos
mailing list