Cross-realm trusts w/ MS Windows 2003
Douglas E. Engert
deengert at anl.gov
Mon Aug 18 17:42:56 EDT 2003
Sam Hartman wrote:
>
> I believe the problem is that the wizard for setting up cross-realm
> trusts gets the case of the realm name incorrect. I'm not really sure
> how to fix this, but I believe if you fix up the directory attributes
> by hand, everything will work.
I got the SecureCRT to work with the cross realm using the SSPI.
( I have been using the SecureCRT with the MIT GSSAPI for months.)
This required in effect passing to SSPI the full principal name, including
the realm.
When I updated the session file for orleans.ini from
S:"GSSAPI SPN"=host@$(FQDN)
to
S:"GSSAPI SPN"=host@$(FQDN)@KRB5.ANL.GOV
Unlike GSSAPI where you pass in service at host and no realm, with SSPI
you can pass in service/host at realm.
The MS kerberos does not have the host to realm mappings, but uses referrals.
If there was a way to add the principal to the global mapping, in the MS KDC,
then this would not be needed as a referral would work.
Daniel indicated that this was not possible. But I would think it would
be. Does anyone know how?
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list