Re: Multiple AD domains and MIT Kerberos
- From: huaraz@xxxxxxxxxxxxxxxx ("Markus Moeller")
- Date: Sat, 3 Mar 2007 19:02:28 -0000
BTW in you server code you have to use GSS_C_NO_NAME as desired name in
gss_acquire_cred or use GSS_C_NULL_OID in gss_import with
HTTP/web.example.exm@xxxxxxxxxxxxxxxx as input
Regards
Markus
"Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message
news:escflf$r0l$1@xxxxxxxxxxxxxxxx
"Eric Schwarz" <eric.schwarz.nrla@xxxxxxxxxxxxx> wrote in message
news:20253DF9635FD5438442BBC8397BBE7403F9D6B8@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello,
We have a situation where we are trying to get AIX Kerberos to
interoperate with Microsoft w2k3 AD 4-domain forest. The challenge is to
get the krb5.conf configuration to allow for the SPN to be registered in
an account that is not in the root domain of the forest. Example-
Forest-
Example.exm
Dom1.example.exm
Dom2.example.exm
SubDom.Dom2.example.exm
How do you configure the krb5.conf file to understand that the keytab
file is coming from an account in Dom1.example.exm (SPN=
http\web.example.com), yet the AIX machine should allow any Windows
account from any of the domains in the forest to authenticate to the AIX
machine? We believe it would have something to do with the [realms]
and/or [capath] settings... but cannot get it configured to accept
authentication from all domains unless the account with the target SPN is
in the root domain and all sub-domains then share a contiguous name
space. As son as we place the target SPN on a sub-domain account only
users from that domain can authenticate... all other domains cannot.
In a Unix only environment you could do the following:
Use a second IP on the same interface on the host e.g.
192.168.1.1 web.example.exm
192.168.1.2 host.example.exm
krb5.conf would look like:
[libdefaults]
default_realm = EXAMPLE.EXM
[realms]
EXAMPLE.EXM = {
auth_to_local = RULE:[1:$1@$0](.*@.*\.EXAMPLE.EXM$)s/@.*//
auth_to_local = DEFAULT
}
[domain_realm]
.example.exm = EXAMPLE.EXM
example.exm = EXAMPLE.EXM
.dom1.example.exm = DOM1.EXAMPLE.EXM
dom1.example.exm = DOM1.EXAMPLE.EXM
.dom2.example.exm = DOM2.EXAMPLE.EXM
dom2.example.exm = DOM2.EXAMPLE.EXM
.subdom.dom2.example.exm = SUBDOM.DOM2.EXAMPLE.EXM
subdom.dom2.example.exm = SUBDOM.DOM2.EXAMPLE.EXM
web.example.exm = DOM1.EXAMPLE.EXM
Now when you do ssh host.example.exm you will use
host/host.example.exm@xxxxxxxxxxx and when accessing the web server
web.example.exm you will use HTTP/web.example.exm@xxxxxxxxxxxxxxxx
On windows this is (as far as I know) not possible. You can only
"redirect" the queries for a domain not a host e.g.
netdom trust EXAMPLE.EXM /domain:DOM1.EXAMPLE.EXM /addtln:web.example.exm
A list should show:
netdom trust EXAMPLE.EXM /namesuffixes:DOM1.EXAMPLE.EXM
Name, Type, Status, Notes
1. *.dom1.example.exm, Name Suffix, Enabled
1. *.web.example.exm, Name Suffix, Enabled
would mean you can have www1.web.example.exm and www2.web.example.exm in
domain DOM1.EXAMPLE.EXM
Any help would be appreciated.
Thanks!
Regards
Markus
Eric Schwarz
MCSE, MCT, Security+
Server/ Active Directory- Team Lead
Windows Security Services C01910
Systems Technology
phone- (309) 763-2873
mobile- (309) 319-3238
email- eric.schwarz.nrla@xxxxxxxxxxxxx
hpsd- SERVER-WINSECURITY (WG2716)
WinSecurity Change Management (WG2811)
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
.
- References:
- Re: Multiple AD domains and MIT Kerberos
- From: "Markus Moeller"
- Re: Multiple AD domains and MIT Kerberos
- Prev by Date: Re: Multiple AD domains and MIT Kerberos
- Next by Date: RE: R: Multiple AD domains and MIT Kerberos
- Previous by thread: Re: Multiple AD domains and MIT Kerberos
- Next by thread: kstart 3.8 released
- Index(es):
Relevant Pages
|
Loading
