some cross-realm trust questions

Victor Sudakov vas at mpeks.no-spam-here.tomsk.su
Mon Dec 27 00:14:32 EST 2010


Russ Allbery wrote:

> > 2. Are there any success stories of servers in a Heimdal realm
> > authenticating users from a trusted Microsoft AD based realm?

> Yes, we do this.

I am just curious. What Windows client programs and Unix server
programs (or vice versa) must you use? How do you use this trust?

I am trying to setup a trust so that MSIE users could have a SSO to a
site running Apache on FreeBSD but I don't know yet if the game is
worth the candle.

> > Is there a documentation how to setup such one way trust?

> We have a bidirectional trust, but I think the setup is substantially the
> same.  It's just like a regular bidirectional trust, except you would then
> delete the krbtgt principal for the Active Directory realm from the
> Heimdal realm.

> There's a section in the Heimdal manual on setting up cross-realm trust.
> On the Active Directory side, I've not done it personally, but:

> http://technet.microsoft.com/en-us/library/cc738617%28WS.10%29.aspx

This documentation seems incomplete because it does not mention some
issues with a non-Windows realm. I have another link:

http://technet.microsoft.com/en-us/library/bb742433.aspx

But it still escapes me how on earth I will end up with
krbtgt/UNIX.REALM at WINDOWS.REALM  and krbtgt/WINDOWS.REALM at UNIX.REALM
having the same key. There is nothing in the above articles about
exporting and importing keytabs.


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/



More information about the Kerberos mailing list