Kerberos cross-realm with AD
Jean-Yves Avenard
jyavenard at gmail.com
Sun Feb 6 19:36:50 EST 2011
Hi there.
I have a mac os server running MIT krb5 v1.7 ; it's been working great
for a while now. The realm used is M.DOMAIN.COM
I am in the process of setting up a Windows 2008 server with Active
Directory. The name of the new domain will be MEL.DOMAIN.COM
I'm trying to understand how I can configure the MIT kerberos server
to accept realm coming from AD.
I have read the MIT documentation and created on both kdc
krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM
krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM
I then edited the kerberos krb5.conf with the appropriate capaths and
configured AD to accept M.DOMAIN.COM issued tickets.
What I'm unclear about however, is do I need to configure all kerberos
clients in a similar fashion or is this done only on the 2 kdcs ?
In particular, I have a FreeBSD server running MIT krb5 1.9 with
mod_auth_kerb . It is set to accept M.DOMAIN.COM realm . Do I need to
explicitely configures it to accept MEL.DOMAIN.COM realm, or because
the two kdcs are configured to accept each other it will then be
automatic ?
Thank you
Jean-Yves
More information about the Kerberos
mailing list