[31500] in Kerberos
Re: Trust between AD and MIT Kerberos
daemon@ATHENA.MIT.EDU (Mikkel Kruse Johnsen)
Wed Sep 23 02:53:27 2009
From: Mikkel Kruse Johnsen <mikkel@linet.dk>
To: Markus Moeller <huaraz@moeller.plus.com>
In-Reply-To: <39ydnT8l-eaapSTXnZ2dnUVZ8lCdnZ2d@brightview.co.uk>
Date: Wed, 23 Sep 2009 08:52:47 +0200
Message-Id: <1253688767.1990.3.camel@tux.lib.cbs.dk>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Reply-To: mikkel@linet.dk
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Markus
Is it possible to do:
netdom trust HHK.DK /domain:CBS.DK /addtln:od.cbs.dk
And only have windows clients ask my MIT kerberos server when accessinghttps://od.cbs.dk ?or is it only for the whole domain.
Med Venlig Hilsen / Kind Regards
Mikkel KruseJohnsenAdm.Dir.
LinetØrholmgade 6 st tvCopenhagen N 2200Denmark
Work: +4521287793Mobile: +4521287793Email:mikkel@linet.dkIM:mikkel@linet.dk(MSN) ProfessionalProfileHealthcare
NetworkConsultant
tir, 22 09 2009 kl. 21:48 +0100, skrev Markus Moeller:
> Do you look for something like ?> > netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home> > This tells the w2k3 domain WINDOWS2003.HOME that hosts with in the domain > suse.home belong to the MIT domain SUSE.HOME> > Markus> > "Mikkel Kruse Johnsen" <mikkel@linet.dk> wrote in message > news:mailman.20.1253609653.18120.kerberos@mit.edu...> > Hi All> >> > I have a trust between my Windows 2003 AD (HHK.DK) and my RHEL5 MIT> > Kerberos (CBS.DK).> >> > On the Windows machines I have:> >> > HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK> > KdcNames: kdc1.cbs.dk kdc2.cbs.dk> >> >> > Adding "HTTP/od.cbs.dk@CBS.DK" to my CBS.DK and using mod_auth_kerb in> > Apache. SSO worked on both Windows and Linux clients with HHK.DK tokens.> >> > In my log file "/var/log/krb5kdc.log" I could see that a lot of request> > came from windows machines.> >> >> > Now the IT department created a UPN suffix on the AD called CBS.DK and> > SSO stopped working on Windows clients. The request in> > "/var/log/krb5kdc.log" stopped.> >> > We removing the UPN suffix from the AD, but Windows clients is not> > working and the request to "/var/log/krb5kdc.log" do not happen anymore.> > Everything is fine on Linux.> >> > It seems that Windows clients no longer uses the "HKLM\SYSTEM> > \CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK" in the reg.> >> > Have been searching the net for month now. Anyone has any ideas what is> > wrong ?> >> > Is there a way to map domain to realms in Windows like [domain_realm] in> > krb5.conf ?> >> >> > Med Venlig Hilsen / Kind Regards> >> >> >> >> > Mikkel Kruse> > Johnsen> > Adm.Dir.> >> > Linet> > Ørholmgade 6 st tv> > Copenhagen N 2200> > Denmark> >> > Work: +45> > 21287793> > Mobile: +45> > 21287793> > Email:> > mikkel@linet.dk> > IM:> > mikkel@linet.dk> > (MSN)> > Professional> > Profile> > Healthcare> >> >> > Network> > Consultant> > > > ________________________________________________> Kerberos mailing list Kerberos@mit.edu> https://mailman.mit.edu/mailman/listinfo/kerberos________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
