Trust between AD and MIT Kerberos

Markus Moeller huaraz at moeller.plus.com
Wed Sep 23 17:33:58 EDT 2009


Unfortunately you can not, it is only for DNS name suffixes not for hosts.

Markus

"Mikkel Kruse Johnsen" <mikkel at linet.dk> wrote in message 
news:1253688767.1990.3.camel at tux.lib.cbs.dk...
> Hi Markus
>
> Is it possible to do:
>
> netdom trust HHK.DK /domain:CBS.DK /addtln:od.cbs.dk
>
> And only have windows clients ask my MIT kerberos server when accessing
> https://od.cbs.dk ?
> or is it only for the whole domain.
>
>
> Med Venlig Hilsen / Kind Regards
>
>
>
>
> Mikkel Kruse
> Johnsen
> Adm.Dir.
>
> Linet
> Ørholmgade 6 st tv
> Copenhagen N 2200
> Denmark
>
> Work:    +45
> 21287793
> Mobile: +45
> 21287793
> Email:
> mikkel at linet.dk
> IM:
> mikkel at linet.dk
> (MSN)
> Professional
> Profile
> Healthcare
>
>
> Network
> Consultant
>
>
> tir, 22 09 2009 kl. 21:48 +0100, skrev Markus Moeller:
>
>> Do you look for  something like ?
>>
>>  netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home
>>
>> This tells the w2k3 domain WINDOWS2003.HOME  that hosts with in the 
>> domain
>> suse.home belong to the MIT domain SUSE.HOME
>>
>> Markus
>>
>> "Mikkel Kruse Johnsen" <mikkel at linet.dk> wrote in message
>> news:mailman.20.1253609653.18120.kerberos at mit.edu...
>> > Hi All
>> >
>> > I have a trust between my Windows 2003 AD (HHK.DK) and my RHEL5 MIT
>> > Kerberos (CBS.DK).
>> >
>> > On the Windows machines I have:
>> >
>> > HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK
>> >    KdcNames: kdc1.cbs.dk kdc2.cbs.dk
>> >
>> >
>> > Adding "HTTP/od.cbs.dk at CBS.DK" to my CBS.DK and using mod_auth_kerb in
>> > Apache. SSO worked on both Windows and Linux clients with HHK.DK 
>> > tokens.
>> >
>> > In my log file "/var/log/krb5kdc.log" I could see that a lot of request
>> > came from windows machines.
>> >
>> >
>> > Now the IT department created a UPN suffix on the AD called CBS.DK and
>> > SSO stopped working on Windows clients. The request in
>> > "/var/log/krb5kdc.log" stopped.
>> >
>> > We removing the UPN suffix from the AD, but Windows clients is not
>> > working and the request to "/var/log/krb5kdc.log" do not happen 
>> > anymore.
>> > Everything is fine on Linux.
>> >
>> > It seems that Windows clients no longer uses the "HKLM\SYSTEM
>> > \CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK" in the reg.
>> >
>> > Have been searching the net for month now. Anyone has any ideas what is
>> > wrong ?
>> >
>> > Is there a way to map domain to realms in Windows like [domain_realm] 
>> > in
>> > krb5.conf ?
>> >
>> >
>> > Med Venlig Hilsen / Kind Regards
>> >
>> >
>> >
>> >
>> > Mikkel Kruse
>> > Johnsen
>> > Adm.Dir.
>> >
>> > Linet
>> > Ørholmgade 6 st tv
>> > Copenhagen N 2200
>> > Denmark
>> >
>> > Work:    +45
>> > 21287793
>> > Mobile: +45
>> > 21287793
>> > Email:
>> > mikkel at linet.dk
>> > IM:
>> > mikkel at linet.dk
>> > (MSN)
>> > Professional
>> > Profile
>> > Healthcare
>> >
>> >
>> > Network
>> > Consultant
>> >
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 





More information about the Kerberos mailing list