some cross-realm trust questions
Victor Sudakov
vas at mpeks.no-spam-here.tomsk.su
Mon Dec 27 00:14:32 EST 2010
Russ Allbery wrote:
> > 2. Are there any success stories of servers in a Heimdal realm
> > authenticating users from a trusted Microsoft AD based realm?
> Yes, we do this.
I am just curious. What Windows client programs and Unix server
programs (or vice versa) must you use? How do you use this trust?
I am trying to setup a trust so that MSIE users could have a SSO to a
site running Apache on FreeBSD but I don't know yet if the game is
worth the candle.
> > Is there a documentation how to setup such one way trust?
> We have a bidirectional trust, but I think the setup is substantially the
> same. It's just like a regular bidirectional trust, except you would then
> delete the krbtgt principal for the Active Directory realm from the
> Heimdal realm.
> There's a section in the Heimdal manual on setting up cross-realm trust.
> On the Active Directory side, I've not done it personally, but:
> http://technet.microsoft.com/en-us/library/cc738617%28WS.10%29.aspx
This documentation seems incomplete because it does not mention some
issues with a non-Windows realm. I have another link:
http://technet.microsoft.com/en-us/library/bb742433.aspx
But it still escapes me how on earth I will end up with
krbtgt/UNIX.REALM at WINDOWS.REALM and krbtgt/WINDOWS.REALM at UNIX.REALM
having the same key. There is nothing in the above articles about
exporting and importing keytabs.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Kerberos
mailing list