Kerberos cross-realm with AD

Jean-Yves Avenard jyavenard at gmail.com
Sun Feb 6 19:36:50 EST 2011


Hi there.

I have a mac os server running MIT krb5 v1.7 ; it's been working great
for a while now. The realm used is M.DOMAIN.COM

I am in the process of setting up a Windows 2008 server with Active
Directory. The name of the new domain will be MEL.DOMAIN.COM

I'm trying to understand how I can configure the MIT kerberos server
to accept realm coming from AD.

I have read the MIT documentation and created on both kdc
krbtgt/M.DOMAIN.COM at MEL.DOMAIN.COM
krbtgt/MEL.DOMAIN.COM at M.DOMAIN.COM

I then edited the kerberos krb5.conf with the appropriate capaths and
configured AD to accept M.DOMAIN.COM issued tickets.

What I'm unclear about however, is do I need to configure all kerberos
clients in a similar fashion or is this done only on the 2 kdcs ?

In particular, I have a FreeBSD server running MIT krb5 1.9 with
mod_auth_kerb . It is set to accept M.DOMAIN.COM realm . Do I need to
explicitely configures it to accept MEL.DOMAIN.COM realm, or because
the two kdcs are configured to accept each other it will then be
automatic ?

Thank you
Jean-Yves



More information about the Kerberos mailing list