[31504] in Kerberos
Re: Trust between AD and MIT Kerberos
daemon@ATHENA.MIT.EDU (Markus Moeller)
Wed Sep 23 17:35:04 2009
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Wed, 23 Sep 2009 22:33:58 +0100
Message-ID: <h9e48d$523$1@ger.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
In-Reply-To: <1253688767.1990.3.camel@tux.lib.cbs.dk>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Unfortunately you can not, it is only for DNS name suffixes not for hosts.
Markus
"Mikkel Kruse Johnsen" <mikkel@linet.dk> wrote in message news:1253688767.1990.3.camel@tux.lib.cbs.dk...> Hi Markus>> Is it possible to do:>> netdom trust HHK.DK /domain:CBS.DK /addtln:od.cbs.dk>> And only have windows clients ask my MIT kerberos server when accessing> https://od.cbs.dk ?> or is it only for the whole domain.>>> Med Venlig Hilsen / Kind Regards>>>>> Mikkel Kruse> Johnsen> Adm.Dir.>> Linet> Ørholmgade 6 st tv> Copenhagen N 2200> Denmark>> Work: +45> 21287793> Mobile: +45> 21287793> Email:> mikkel@linet.dk> IM:> mikkel@linet.dk> (MSN)> Professional> Profile> Healthcare>>> Network> Consultant>>> tir, 22 09 2009 kl. 21:48 +0100, skrev Markus Moeller:>>> Do you look for something like ?>>>> netdom trust WINDOWS2003.HOME /domain:SUSE.HOME /addtln:suse.home>>>> This tells the w2k3 domain WINDOWS2003.HOME that hosts with in the >> domain>> suse.home belong to the MIT domain SUSE.HOME>>>> Markus>>>> "Mikkel Kruse Johnsen" <mikkel@linet.dk> wrote in message>> news:mailman.20.1253609653.18120.kerberos@mit.edu...>> > Hi All>> >>> > I have a trust between my Windows 2003 AD (HHK.DK) and my RHEL5 MIT>> > Kerberos (CBS.DK).>> >>> > On the Windows machines I have:>> >>> > HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK>> > KdcNames: kdc1.cbs.dk kdc2.cbs.dk>> >>> >>> > Adding "HTTP/od.cbs.dk@CBS.DK" to my CBS.DK and using mod_auth_kerb in>> > Apache. SSO worked on both Windows and Linux clients with HHK.DK >> > tokens.>> >>> > In my log file "/var/log/krb5kdc.log" I could see that a lot of request>> > came from windows machines.>> >>> >>> > Now the IT department created a UPN suffix on the AD called CBS.DK and>> > SSO stopped working on Windows clients. The request in>> > "/var/log/krb5kdc.log" stopped.>> >>> > We removing the UPN suffix from the AD, but Windows clients is not>> > working and the request to "/var/log/krb5kdc.log" do not happen >> > anymore.>> > Everything is fine on Linux.>> >>> > It seems that Windows clients no longer uses the "HKLM\SYSTEM>> > \CurrentControlSet\Control\Lsa\Kerberos\Domains\CBS.DK" in the reg.>> >>> > Have been searching the net for month now. Anyone has any ideas what is>> > wrong ?>> >>> > Is there a way to map domain to realms in Windows like [domain_realm] >> > in>> > krb5.conf ?>> >>> >>> > Med Venlig Hilsen / Kind Regards>> >>> >>> >>> >>> > Mikkel Kruse>> > Johnsen>> > Adm.Dir.>> >>> > Linet>> > Ørholmgade 6 st tv>> > Copenhagen N 2200>> > Denmark>> >>> > Work: +45>> > 21287793>> > Mobile: +45>> > 21287793>> > Email:>> > mikkel@linet.dk>> > IM:>> > mikkel@linet.dk>> > (MSN)>> > Professional>> > Profile>> > Healthcare>> >>> >>> > Network>> > Consultant>> >>>>> ________________________________________________>> Kerberos mailing list Kerberos@mit.edu>> https://mailman.mit.edu/mailman/listinfo/kerberos> ________________________________________________> Kerberos mailing list Kerberos@mit.edu> https://mailman.mit.edu/mailman/listinfo/kerberos>
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
