[31492] in Kerberos
Trust between AD and MIT Kerberos
daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Tue Sep 22 04:54:15 2009
From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: kerberos <kerberos@mit.edu>
Date: Tue, 22 Sep 2009 10:53:40 +0200
Message-Id: <1253609620.2059.11.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Reply-To: mikkel@linet.dk
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi All
I have a trust between my Windows 2003 AD (HHK.DK) and my RHEL5 MITKerberos (CBS.DK).
On the Windows machines I have:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK KdcNames: kdc1.cbs.dk kdc2.cbs.dk
Adding "HTTP/od.cbs.dk@CBS.DK" to my CBS.DK and using mod_auth_kerb inApache. SSO worked on both Windows and Linux clients with HHK.DK tokens.
In my log file "/var/log/krb5kdc.log" I could see that a lot of requestcame from windows machines.
Now the IT department created a UPN suffix on the AD called CBS.DK andSSO stopped working on Windows clients. The request in"/var/log/krb5kdc.log" stopped.
We removing the UPN suffix from the AD, but Windows clients is notworking and the request to "/var/log/krb5kdc.log" do not happen anymore.Everything is fine on Linux.
It seems that Windows clients no longer uses the "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK" in the reg.
Have been searching the net for month now. Anyone has any ideas what iswrong ?
Is there a way to map domain to realms in Windows like [domain_realm] inkrb5.conf ?
Med Venlig Hilsen / Kind Regards
Mikkel KruseJohnsenAdm.Dir.
LinetØrholmgade 6 st tvCopenhagen N 2200Denmark
Work: +4521287793Mobile: +4521287793Email:mikkel@linet.dkIM:mikkel@linet.dk(MSN) ProfessionalProfileHealthcare
NetworkConsultant
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
