Windows kerberos trust relationship conundrum...

Douglas E. Engert deengert at anl.gov
Mon Nov 5 22:17:52 EST 2012 


On 11/5/2012 2:49 PM, Dyer, Rodney wrote:
> Hi,
>
> I need some advice.  I need to verify that an MIT/Windows trust option we've wanted to work, in fact cannot work.  Can someone here maybe provide some insightful comments on our setup?
>

Have you looked at cross-forest trust between MOSAIC.UNCC.EDU and MOSAIC64.UNCC.EDU?

I don't know if that would work.

Since your Kerberos realm is UNCC.EDU, you can't have both in the same forest,
as the top of the forest would have to be UNCC.EDU.



> Given:
>
>
> 1.     We have an existing Microsoft Win2k3 AD domain (MOSAIC.UNCC.EDU) in a cross-realm trust with an MIT KDC realm (UNCC.EDU).
>
>
>
> 2.     Our XP clients are members of the Win2k3 domain.
>
>
>
> 3.     Our XP users logon to the XP clients using their MIT realm credentials.
>
>
>
> 4.     Once logged on to XP, our users access a CIFS share, hosted off of one of the Win2k3 domain servers.  The access works without a password because the CIFS service ticket is served from the Win2k3 domain.  The MIT user's "tgt" is "trusted".
>
>
>       This 'old' setup has worked fine for years.
>
>
>       Now for the 'new' setup...
>
>
> 1.     We have setup a new Win2k8R2 domain "MOSAIC64.UNCC.EDU".
>
>
>
> 2.     The Win2k8R2 domain is also in a cross-realm trust with the MIT realm "UNCC.EDU".
>
>
>
> 3.     Our new Win7 clients are members of the Win2k8R2 domain.
>
>
>
> 4.     Once logged on to Win 7, our user can access a CIFS share, hosted off of one of the Win2k8R2 domain servers.  The access works without a password because the CIFS service ticket is served from the Win2k8R2 domain.  The MIT user's "tgt" is "trusted".
>
>
>       This 'new' setup works just fine.
>
>
> |----------------------|
> | MIT REALM:  UNCC.EDU |
> |----------------------|
>        ^         ^
>        |         |
>        |         |
>        |         |  AD1 trust    |------| domain membership |-----------|
>        |         --------------->| AD1  |<------------------| XP Client |<---[ user at UNCC.EDU ]
>       |                         |------|                   |-----------|
>        |                            ^             ---------/
>        |                            |            /
>        |                   |-------------------|/
>        |                   | AD CIFS VOL SHARE |
>        |                   |-------------------|
>        |
>        |
>        |
>        |
>        |            AD2 trust    |------| domain membership |-------------|
>        ------------------------->| AD2  |<------------------| Win7 Client |<---[ user at UNCC.EDU ]
>                                  |------|                   |-------------|
>                                     ^             ---------/
>                                     |            /
>                            |-------------------|/
>                            | AD CIFS VOL SHARE |
>                            |-------------------|
>
>
>
>
>       Now for our 'problem'...
>
>
>
> 1.     What we really need is for our XP and Win7 users to share the "same CIFS volume", either hosted off of the old Win2k3 CIFS share, or the new Win2k8R2 CIFS share.  We want this...
>
>
> |----------------------|
> | MIT REALM:  UNCC.EDU |
> |----------------------|
>        ^         ^
>        |         |
>        |         |
>        |         |  AD1 trust    |------| domain membership |-----------|
>        |         --------------->| AD1  |<------------------| XP Client |<---[ user at UNCC.EDU ]
>        |                         |------|                   |-----------|
>        |                            ^             ---------/
>        |                            |            /
>        |                   |-------------------|/
>        |                   | AD CIFS VOL SHARE |
>        |                   |-------------------|\
>        |                                         \
>        |                                          \------\
>        |                                                  \
>        |                                                   \
>        |            AD2 trust    |------| domain membership |-------------|
>        ------------------------->| AD2  |<------------------| Win7 Client |<----[ user at UNCC.EDU ]
>                                  |------|                   |-------------|
>
>
>
>
> 2.     We are finding no way to configure trusts, or setup 'forest' trusts to allow sharing of a single CIFS share from both AD domains.
>
>
> Does anyone know what, if any options we may have here?
>
> It would seem that since our XP/Win7 clients can only be members of one domain, or the other, then we have no capability to provide authentication through to a non-member domain, even if it is also in the same cross-realm trust with the MIT KDC.
>
> Essentially, "user at AD1_DOMAIN" (while logged on a client that is a "AD1_DOMAIN" member), can't be mapped to "user at AD2_DOMAIN", even if both domains are trusting "MIT.REALM", and the user has a "user at MIT.REALM" TGT.
>
> Is this reasoning correct?
>
> Rodney
>
> Rodney M. Dyer
> Operations and Systems (Specialist)
> Mosaic Computing Group
> William States Lee College of Engineering
> University of North Carolina at Charlotte
> Email: rmdyer at uncc.edu
> Web: http://www.coe.uncc.edu/~rmdyer
> Phone: (704)687-3518
> Help Desk Line: (704)687-3150
> FAX: (704)687-2352
> Office:  Cameron Hall, Room 232
>
>
>
>
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list