Windows kerberos trust relationship conundrum...
Wilper, Ross A
rwilper at stanford.edu
Mon Nov 5 18:52:25 EST 2012
You can access more AD brainpower by posting this to activedir at mail.activedir.org or windows-hied at lists.stanford.edu
-----
You are correct. The member server can only be a member of a single Kerberos realm (Active Directory domain) at any time.
----
My first thought is that you need to add Top-Level Name definitions to your trust relationships between your Active Directories and the MIT realm. Adding TLNs requires that you make the trusts forest transitive. TLNs tell Active Directory "send referrals for services with these (DNS) names thataway"
MOSAIC.UNCC.EDU trust needs TLNs UNCC.EDU and MOSAIC64.UNCC.EDU
MOSAIC64.UNCC.EDU trust needs TLNs UNCC.EDU and MOSAIC.UNCC.EDU
Not sure that the MIT realm will pass the referrals on through the chain nor do I know if transitive forest trusts through a non-Windows realm will work, but if it can, then you should be able to get all the necessary tickets no matter which domain/realm the server is in.
Second option may be to create a "shortcut" trust between MOSAIC and MOSAIC64. (I do not know without experimentation what impact will be of the MIT principal having two findable altSecurityIdentities mappings however. Having 2 in the same forest is bad, I don't know if 2 across two trusted forests is ok). The more I think about it, the more likely it seems that you will need to use this route to get it to work...
Grant the users that the MIT principals map to in both AD realms access on the resource.
-Ross
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Dyer, Rodney
> Sent: Monday, November 05, 2012 12:49 PM
> To: kerberos at mit.edu
> Subject: Windows kerberos trust relationship conundrum...
>
> Hi,
>
> I need some advice. I need to verify that an MIT/Windows trust option
> we've wanted to work, in fact cannot work. Can someone here maybe
> provide some insightful comments on our setup?
>
> Given:
>
>
> 1. We have an existing Microsoft Win2k3 AD domain (MOSAIC.UNCC.EDU)
> in a cross-realm trust with an MIT KDC realm (UNCC.EDU).
>
>
>
> 2. Our XP clients are members of the Win2k3 domain.
>
>
>
> 3. Our XP users logon to the XP clients using their MIT realm credentials.
>
>
>
> 4. Once logged on to XP, our users access a CIFS share, hosted off of one of
> the Win2k3 domain servers. The access works without a password because
> the CIFS service ticket is served from the Win2k3 domain. The MIT user's
> "tgt" is "trusted".
>
>
> This 'old' setup has worked fine for years.
>
>
> Now for the 'new' setup...
>
>
> 1. We have setup a new Win2k8R2 domain "MOSAIC64.UNCC.EDU".
>
>
>
> 2. The Win2k8R2 domain is also in a cross-realm trust with the MIT realm
> "UNCC.EDU".
>
>
>
> 3. Our new Win7 clients are members of the Win2k8R2 domain.
>
>
>
> 4. Once logged on to Win 7, our user can access a CIFS share, hosted off of
> one of the Win2k8R2 domain servers. The access works without a password
> because the CIFS service ticket is served from the Win2k8R2 domain. The
> MIT user's "tgt" is "trusted".
>
>
> This 'new' setup works just fine.
>
>
> |----------------------|
> | MIT REALM: UNCC.EDU |
> |----------------------|
> ^ ^
> | |
> | |
> | | AD1 trust |------| domain membership |-----------|
> | --------------->| AD1 |<------------------| XP Client |<---[
> user at UNCC.EDU ]
> | |------| |-----------|
> | ^ ---------/
> | | /
> | |-------------------|/
> | | AD CIFS VOL SHARE |
> | |-------------------|
> |
> |
> |
> |
> | AD2 trust |------| domain membership |-------------|
> ------------------------->| AD2 |<------------------| Win7 Client |<---[
> user at UNCC.EDU ]
> |------| |-------------|
> ^ ---------/
> | /
> |-------------------|/
> | AD CIFS VOL SHARE |
> |-------------------|
>
>
>
>
> Now for our 'problem'...
>
>
>
> 1. What we really need is for our XP and Win7 users to share the "same
> CIFS volume", either hosted off of the old Win2k3 CIFS share, or the new
> Win2k8R2 CIFS share. We want this...
>
>
> |----------------------|
> | MIT REALM: UNCC.EDU |
> |----------------------|
> ^ ^
> | |
> | |
> | | AD1 trust |------| domain membership |-----------|
> | --------------->| AD1 |<------------------| XP Client |<---[
> user at UNCC.EDU ]
> | |------| |-----------|
> | ^ ---------/
> | | /
> | |-------------------|/
> | | AD CIFS VOL SHARE |
> | |-------------------|\
> | \
> | \------\
> | \
> | \
> | AD2 trust |------| domain membership |-------------|
> ------------------------->| AD2 |<------------------| Win7 Client |<----[
> user at UNCC.EDU ]
> |------| |-------------|
>
>
>
>
> 2. We are finding no way to configure trusts, or setup 'forest' trusts to allow
> sharing of a single CIFS share from both AD domains.
>
>
> Does anyone know what, if any options we may have here?
>
> It would seem that since our XP/Win7 clients can only be members of one
> domain, or the other, then we have no capability to provide authentication
> through to a non-member domain, even if it is also in the same cross-realm
> trust with the MIT KDC.
>
> Essentially, "user at AD1_DOMAIN" (while logged on a client that is a
> "AD1_DOMAIN" member), can't be mapped to "user at AD2_DOMAIN", even
> if both domains are trusting "MIT.REALM", and the user has a
> "user at MIT.REALM" TGT.
>
> Is this reasoning correct?
>
> Rodney
>
> Rodney M. Dyer
> Operations and Systems (Specialist)
> Mosaic Computing Group
> William States Lee College of Engineering
> University of North Carolina at Charlotte
> Email: rmdyer at uncc.edu
> Web: http://www.coe.uncc.edu/~rmdyer
> Phone: (704)687-3518
> Help Desk Line: (704)687-3150
> FAX: (704)687-2352
> Office: Cameron Hall, Room 232
>
>
>
>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list