Windows kerberos trust relationship conundrum...
Dyer, Rodney
rmdyer at uncc.edu
Mon Nov 5 15:49:11 EST 2012
Hi,
I need some advice. I need to verify that an MIT/Windows trust option we've wanted to work, in fact cannot work. Can someone here maybe provide some insightful comments on our setup?
Given:
1. We have an existing Microsoft Win2k3 AD domain (MOSAIC.UNCC.EDU) in a cross-realm trust with an MIT KDC realm (UNCC.EDU).
2. Our XP clients are members of the Win2k3 domain.
3. Our XP users logon to the XP clients using their MIT realm credentials.
4. Once logged on to XP, our users access a CIFS share, hosted off of one of the Win2k3 domain servers. The access works without a password because the CIFS service ticket is served from the Win2k3 domain. The MIT user's "tgt" is "trusted".
This 'old' setup has worked fine for years.
Now for the 'new' setup...
1. We have setup a new Win2k8R2 domain "MOSAIC64.UNCC.EDU".
2. The Win2k8R2 domain is also in a cross-realm trust with the MIT realm "UNCC.EDU".
3. Our new Win7 clients are members of the Win2k8R2 domain.
4. Once logged on to Win 7, our user can access a CIFS share, hosted off of one of the Win2k8R2 domain servers. The access works without a password because the CIFS service ticket is served from the Win2k8R2 domain. The MIT user's "tgt" is "trusted".
This 'new' setup works just fine.
|----------------------|
| MIT REALM: UNCC.EDU |
|----------------------|
^ ^
| |
| |
| | AD1 trust |------| domain membership |-----------|
| --------------->| AD1 |<------------------| XP Client |<---[ user at UNCC.EDU ]
| |------| |-----------|
| ^ ---------/
| | /
| |-------------------|/
| | AD CIFS VOL SHARE |
| |-------------------|
|
|
|
|
| AD2 trust |------| domain membership |-------------|
------------------------->| AD2 |<------------------| Win7 Client |<---[ user at UNCC.EDU ]
|------| |-------------|
^ ---------/
| /
|-------------------|/
| AD CIFS VOL SHARE |
|-------------------|
Now for our 'problem'...
1. What we really need is for our XP and Win7 users to share the "same CIFS volume", either hosted off of the old Win2k3 CIFS share, or the new Win2k8R2 CIFS share. We want this...
|----------------------|
| MIT REALM: UNCC.EDU |
|----------------------|
^ ^
| |
| |
| | AD1 trust |------| domain membership |-----------|
| --------------->| AD1 |<------------------| XP Client |<---[ user at UNCC.EDU ]
| |------| |-----------|
| ^ ---------/
| | /
| |-------------------|/
| | AD CIFS VOL SHARE |
| |-------------------|\
| \
| \------\
| \
| \
| AD2 trust |------| domain membership |-------------|
------------------------->| AD2 |<------------------| Win7 Client |<----[ user at UNCC.EDU ]
|------| |-------------|
2. We are finding no way to configure trusts, or setup 'forest' trusts to allow sharing of a single CIFS share from both AD domains.
Does anyone know what, if any options we may have here?
It would seem that since our XP/Win7 clients can only be members of one domain, or the other, then we have no capability to provide authentication through to a non-member domain, even if it is also in the same cross-realm trust with the MIT KDC.
Essentially, "user at AD1_DOMAIN" (while logged on a client that is a "AD1_DOMAIN" member), can't be mapped to "user at AD2_DOMAIN", even if both domains are trusting "MIT.REALM", and the user has a "user at MIT.REALM" TGT.
Is this reasoning correct?
Rodney
Rodney M. Dyer
Operations and Systems (Specialist)
Mosaic Computing Group
William States Lee College of Engineering
University of North Carolina at Charlotte
Email: rmdyer at uncc.edu
Web: http://www.coe.uncc.edu/~rmdyer
Phone: (704)687-3518
Help Desk Line: (704)687-3150
FAX: (704)687-2352
Office: Cameron Hall, Room 232
More information about the Kerberos
mailing list