some cross-realm trust questions

Victor Sudakov vas at mpeks.no-spam-here.tomsk.su
Fri Dec 31 00:35:02 EST 2010


Russ Allbery wrote:
> > I am just curious. What Windows client programs and Unix server programs
> > (or vice versa) must you use? How do you use this trust?

> We allow all Active Directory users at Stanford to log on either in the AD
> realm or in the university Heimdal realm, and try to set up as many
> services as we can to accept either set of credentials as equivalent.
> This is relatively easy on the AD side.  On the UNIX side, WebAuth (via
> Negotiate-Auth/SPNEGO) is configured to trust AD credentials and treat
> them as equivalent, as is AFS; the rest is somewhat hit or miss.  For
> example, I don't think AD credentials work with GSSAPI authentication to
> Zimbra, mostly because we've not gotten around to figuring out how to tell
> Zimbra to treat the credentials as equivalent.

> We also routinely authenticate automated UNIX clients to AD services and
> vice versa for things like authenticated LDAP queries and the like.

> In general, AD is used as the primary authentication realm for all
> services running on Windows inside the AD forest, and for users who log in
> via AD.  Most systems (such as student systems) are not joined to AD, and
> general campus use all uses the Heimdal realm, with occasional cross-realm
> authentications to Windows web services.  Most principals for automated
> processes, host and service principals, and so forth are issued from the
> Heimdal realm, since we have invested more effort into automated principal
> management, distributed ACLs, and the like on the Heimdal side.

Thank you, that was interesting to read.

> > I am trying to setup a trust so that MSIE users could have a SSO to a
> > site running Apache on FreeBSD but I don't know yet if the game is
> > worth the candle.

> It should be fairly straightforward.

I seem to have hit a problem where I have not expected any:


# apachectl configtest
httpd: Syntax error on line 106 of /usr/local/etc/apache22/httpd.conf:
Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server:
/usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
"gsskrb5_register_acceptor_identity"
#

# ldd /usr/local/libexec/apache22/mod_auth_kerb.so
/usr/local/libexec/apache22/mod_auth_kerb.so:
	libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x281b1000)
	libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x281ba000)
	libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x28300000)
	libhx509.so.10 => /usr/lib/libhx509.so.10 (0x281bf000)
	libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x281f5000)
	libcrypto.so.6 => /lib/libcrypto.so.6 (0x2835e000)
	libasn1.so.10 => /usr/lib/libasn1.so.10 (0x284b9000)
	libroken.so.10 => /usr/lib/libroken.so.10 (0x2852e000)
	libcrypt.so.5 => /lib/libcrypt.so.5 (0x2853e000)
	libc.so.7 => /lib/libc.so.7 (0x28090000)


# uname -sr
FreeBSD 8.1-RELEASE
# pkg_info | grep ^ap
ap22-mod_auth_kerb-5.4_2 An Apache module for authenticating users with Kerberos v5
apache-2.2.17_1     Version 2.2.x of Apache web server with prefork MPM.
apr-nothr-devrandom-gdbm-1.4.2.1.3.10 Apache Portability Library
#


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/



More information about the Kerberos mailing list