Cross-realm between Windows Server 2008 R2
Richard Silverman
res at deshaw.com
Tue Jun 21 16:47:08 EDT 2011
jm130794 <jm130794 at gmail.com> writes:
> Hello,
>
> I can open a session with my MIT user on seven but, when I try to create a
> file on his home directory Z: I get a access error. I can see this message
> on my kerberos MIT :
>
> Jun 15 22:20:15 srv1 krb5kdc[1350](info): TGS_REQ (5 etypes {18 17 23 24
> -135}) 192.168.2.5: UNKNOWN_SERVER: authtime 0, user1 at TEST.FR for cifs/
> dc1.ad.test.fr at TEST.FR, Server not found in Kerberos database
>
> I must add a principal for my dc in MIT database ?
No; the client needs some way to know that the server is in your AD
realm and not the MIT realm TEST.FR (assuming I've got your realms
straight). You can do this in various ways. If your DNS matches your
realm structure, e.g. here all hosts with names *.ad.test.fr are in the
AD realm (let's call that ADREALM), you can either put a mapping in
/etc/krb5.conf:
[domain_realm]
ad.test.fr = ADREALM
.ad.test.fr = ADREALM
... or, you can use the DNS for this:
_kerberos.ad.test.fr IN TXT "ADREALM"
... if you turn on kdc_lookup_realm in the [libdefaults] section of
krb5.conf.
Also, the current release of MIT Kerberos supports referrals, so you
could configure the KDC to refer clients to AD when appropriate.
In any event, the client needs to know or discover that this server is
in the AD realm, so it can obtain a cross-realm TGT from TEST.FR, and
present that to a domain controller to get a CIFS service ticket.
- Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list