Re: Kerberos proxy for implementing referrals

Before you do this, you may want to look at "Trusted Domain Ojests"
and "Globus Catalog" There may be a way to use the "netdom" command to:

"Establish one-way or two-way trust relationships between domains,
including the following kinds of trust relationships:
...
The Windows Server 2003 or Windows 2000 Server half of an
interoperable Kerberos realm."

Google for netdom, trusted domain object or TDO, referral and cross realm
or Google for "Domain and Forest Trust Tools and Settings"

( I have not tried this. But it looks like the netdom command could
setup the TDO that is missing.)


Richard E. Silverman wrote:

I'm considering the use of a Kerberos proxy, to solve the problem of being
unable to do cross realm authentication though a Windows realm to an MIT
one, due to Windows not issuing referrals for external realms. The proxy
would issue referrals where needed instead of having the Windows KDC say
"no such principal," and send/return all other requests to Windows for the
client. Obviously, the proxy will need the TGS keys for the Windows
realm. This is a last resort; I'm going mad badgering Microsoft for some
sort of solution to this. My outstanding request to them is whether they
can issue default referrals. I'm not expecting a positive answer.

I'm wondering whether anyone else has considered this, or (hoping against
hope), already implemented it?

I've considered using the KfW GSSAPI library with clients that support it
(Firefox, SecureCRT, etc.), but this is probably not a workable option for
us.

All comments welcome and appreciated,


--

Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos

.

Relevant Pages

  • Re: cross-realm authentication problem
    ... Windows client are in KLIENT.UIB.NO, Windows user accounts are in UIB.NO, Unix/Linux machines and accounts are in UNIX.UIB.NO. ... I have one web server running RHEL4, apache 2.0.52 and Kerberos 1.3.4 as provided by Redhat, self-compiled mod_auth_kerb 5.4, and another running RHEL5, apache 2.2.3 and Kerberos 1.6.1 as provided by Redhat, self-compiled mod_auth_kerb 5.4. ... After authenticating against UIB.NO on a Linux machine (which have UNIX.UIB.NO as primary realm in krb5.conf) cross-realm authentication works fine. ... But using a Windows machine where the user is authenticated in UIB.NO I get cross-realm authentication only to the web server running RHEL4, not the one running RHEL5, I never even get a ticket for UNIX.UIB.NO from AD when trying to access the RHEL5 server web page. ...
    (comp.protocols.kerberos)
  • Re: Cross Realm MIT <-> Active Directory
    ... Now why can't user XYZ@xxxxxxxx login successfully with his Windows ... I meant on the Unix box, not on the Windows box, so sorry on that. ... user xyz can login to your Unix machine. ... Host and service principals are defined in MIT Kerberos (realm ...
    (comp.protocols.kerberos)
  • Re: Kerberos authentication NOT in AD
    ... Windows supports Unix Kerberos realms natively. ... realm user, but it's pretty easy to script such a thing or get fancy and use ... from the folks that manage the Kerberos realm, ... so I'm not doing any authentication as of yet (I've ...
    (microsoft.public.dotnet.security)
  • Re: cross-realm authentication problem
    ... MIT Kerberos realm. ... Windows client are in KLIENT.UIB.NO, Windows user accounts are in UIB.NO, Unix/Linux machines and accounts are in UNIX.UIB.NO. ... After authenticating against UIB.NO on a Linux machine (which have UNIX.UIB.NO as primary realm in krb5.conf) cross-realm authentication works fine. ... But using a Windows machine where the user is authenticated in UIB.NO I get cross-realm authentication only to the web server running RHEL4, not the one running RHEL5, I never even get a ticket for UNIX.UIB.NO from AD when trying to access the RHEL5 server web page. ...
    (comp.protocols.kerberos)
  • Re: Windows Server Referral Problem
    ... EN> Markus I have a request out to Microsoft to get more information ... When Windows ... and returns a referral to the specified realm if there's a match. ... EN> I have a problem with server referrals in my Windows environment. ...
    (comp.protocols.kerberos)
Loading