some cross-realm trust questions
Victor Sudakov
vas at mpeks.no-spam-here.tomsk.su
Fri Dec 31 00:35:02 EST 2010
Russ Allbery wrote:
> > I am just curious. What Windows client programs and Unix server programs
> > (or vice versa) must you use? How do you use this trust?
> We allow all Active Directory users at Stanford to log on either in the AD
> realm or in the university Heimdal realm, and try to set up as many
> services as we can to accept either set of credentials as equivalent.
> This is relatively easy on the AD side. On the UNIX side, WebAuth (via
> Negotiate-Auth/SPNEGO) is configured to trust AD credentials and treat
> them as equivalent, as is AFS; the rest is somewhat hit or miss. For
> example, I don't think AD credentials work with GSSAPI authentication to
> Zimbra, mostly because we've not gotten around to figuring out how to tell
> Zimbra to treat the credentials as equivalent.
> We also routinely authenticate automated UNIX clients to AD services and
> vice versa for things like authenticated LDAP queries and the like.
> In general, AD is used as the primary authentication realm for all
> services running on Windows inside the AD forest, and for users who log in
> via AD. Most systems (such as student systems) are not joined to AD, and
> general campus use all uses the Heimdal realm, with occasional cross-realm
> authentications to Windows web services. Most principals for automated
> processes, host and service principals, and so forth are issued from the
> Heimdal realm, since we have invested more effort into automated principal
> management, distributed ACLs, and the like on the Heimdal side.
Thank you, that was interesting to read.
> > I am trying to setup a trust so that MSIE users could have a SSO to a
> > site running Apache on FreeBSD but I don't know yet if the game is
> > worth the candle.
> It should be fairly straightforward.
I seem to have hit a problem where I have not expected any:
# apachectl configtest
httpd: Syntax error on line 106 of /usr/local/etc/apache22/httpd.conf:
Cannot load /usr/local/libexec/apache22/mod_auth_kerb.so into server:
/usr/local/libexec/apache22/mod_auth_kerb.so: Undefined symbol
"gsskrb5_register_acceptor_identity"
#
# ldd /usr/local/libexec/apache22/mod_auth_kerb.so
/usr/local/libexec/apache22/mod_auth_kerb.so:
libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x281b1000)
libheimntlm.so.10 => /usr/lib/libheimntlm.so.10 (0x281ba000)
libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x28300000)
libhx509.so.10 => /usr/lib/libhx509.so.10 (0x281bf000)
libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x281f5000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x2835e000)
libasn1.so.10 => /usr/lib/libasn1.so.10 (0x284b9000)
libroken.so.10 => /usr/lib/libroken.so.10 (0x2852e000)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x2853e000)
libc.so.7 => /lib/libc.so.7 (0x28090000)
# uname -sr
FreeBSD 8.1-RELEASE
# pkg_info | grep ^ap
ap22-mod_auth_kerb-5.4_2 An Apache module for authenticating users with Kerberos v5
apache-2.2.17_1 Version 2.2.x of Apache web server with prefork MPM.
apr-nothr-devrandom-gdbm-1.4.2.1.3.10 Apache Portability Library
#
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Kerberos
mailing list