some cross-realm trust questions

Russ Allbery rra at stanford.edu
Mon Dec 27 11:47:08 EST 2010


Victor Sudakov <vas at mpeks.no-spam-here.tomsk.su> writes:

> I am just curious. What Windows client programs and Unix server programs
> (or vice versa) must you use? How do you use this trust?

We allow all Active Directory users at Stanford to log on either in the AD
realm or in the university Heimdal realm, and try to set up as many
services as we can to accept either set of credentials as equivalent.
This is relatively easy on the AD side.  On the UNIX side, WebAuth (via
Negotiate-Auth/SPNEGO) is configured to trust AD credentials and treat
them as equivalent, as is AFS; the rest is somewhat hit or miss.  For
example, I don't think AD credentials work with GSSAPI authentication to
Zimbra, mostly because we've not gotten around to figuring out how to tell
Zimbra to treat the credentials as equivalent.

We also routinely authenticate automated UNIX clients to AD services and
vice versa for things like authenticated LDAP queries and the like.

In general, AD is used as the primary authentication realm for all
services running on Windows inside the AD forest, and for users who log in
via AD.  Most systems (such as student systems) are not joined to AD, and
general campus use all uses the Heimdal realm, with occasional cross-realm
authentications to Windows web services.  Most principals for automated
processes, host and service principals, and so forth are issued from the
Heimdal realm, since we have invested more effort into automated principal
management, distributed ACLs, and the like on the Heimdal side.

> I am trying to setup a trust so that MSIE users could have a SSO to a
> site running Apache on FreeBSD but I don't know yet if the game is
> worth the candle.

It should be fairly straightforward.

> But it still escapes me how on earth I will end up with
> krbtgt/UNIX.REALM at WINDOWS.REALM and krbtgt/WINDOWS.REALM at UNIX.REALM
> having the same key. There is nothing in the above articles about
> exporting and importing keytabs.

You use a password.  Enter the same password on both sides when creating
the key, and then be sure to remove any extraneous enctypes on the Heimdal
side that AD isn't configured to provide.

I usually use a random password generator like apg with a fairly long
password length and large character set.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list