Trust between AD and MIT Kerberos

Mikkel Kruse Johnsen mikkel at linet.dk
Wed Sep 23 02:52:47 EDT 2009 

Hi Markus

Is it possible to do:

netdom trust HHK.DK /domain:CBS.DK /addtln:od.cbs.dk

And only have windows clients ask my MIT kerberos server when accessing
https://od.cbs.dk ?
or is it only for the whole domain.


Med Venlig Hilsen / Kind Regards




Mikkel Kruse
Johnsen
Adm.Dir.

Linet
Ørholmgade 6 st tv
Copenhagen N 2200
Denmark

Work:    +45
21287793
Mobile: +45
21287793
Email:
mikkel at linet.dk
IM:
mikkel at linet.dk
(MSN)
 Professional
Profile
Healthcare 


Network
Consultant 


tir, 22 09 2009 kl. 21:48 +0100, skrev Markus Moeller:

> Do you look for  something like ?
> 
>  netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home
> 
> This tells the w2k3 domain WINDOWS2003.HOME  that hosts with in the domain 
> suse.home belong to the MIT domain SUSE.HOME
> 
> Markus
> 
> "Mikkel Kruse Johnsen" <mikkel at linet.dk> wrote in message 
> news:mailman.20.1253609653.18120.kerberos at mit.edu...
> > Hi All
> >
> > I have a trust between my Windows 2003 AD (HHK.DK) and my RHEL5 MIT
> > Kerberos (CBS.DK).
> >
> > On the Windows machines I have:
> >
> > HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK
> >    KdcNames: kdc1.cbs.dk kdc2.cbs.dk
> >
> >
> > Adding "HTTP/od.cbs.dk at CBS.DK" to my CBS.DK and using mod_auth_kerb in
> > Apache. SSO worked on both Windows and Linux clients with HHK.DK tokens.
> >
> > In my log file "/var/log/krb5kdc.log" I could see that a lot of request
> > came from windows machines.
> >
> >
> > Now the IT department created a UPN suffix on the AD called CBS.DK and
> > SSO stopped working on Windows clients. The request in
> > "/var/log/krb5kdc.log" stopped.
> >
> > We removing the UPN suffix from the AD, but Windows clients is not
> > working and the request to "/var/log/krb5kdc.log" do not happen anymore.
> > Everything is fine on Linux.
> >
> > It seems that Windows clients no longer uses the "HKLM\SYSTEM
> > \CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK" in the reg.
> >
> > Have been searching the net for month now. Anyone has any ideas what is
> > wrong ?
> >
> > Is there a way to map domain to realms in Windows like [domain_realm] in
> > krb5.conf ?
> >
> >
> > Med Venlig Hilsen / Kind Regards
> >
> >
> >
> >
> > Mikkel Kruse
> > Johnsen
> > Adm.Dir.
> >
> > Linet
> > Ørholmgade 6 st tv
> > Copenhagen N 2200
> > Denmark
> >
> > Work:    +45
> > 21287793
> > Mobile: +45
> > 21287793
> > Email:
> > mikkel at linet.dk
> > IM:
> > mikkel at linet.dk
> > (MSN)
> > Professional
> > Profile
> > Healthcare
> >
> >
> > Network
> > Consultant
> > 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list