[27305] in Kerberos

home help back first fref pref prev next nref lref last post

Re: putty/winscp with gssapi/krb5 ticket forwarding

daemon@ATHENA.MIT.EDU (Christopher D. Clausen)
Tue Jan 30 11:55:05 2007

Message-ID: <118501c7448e$f0b1fdf0$0100a8c0@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: "Lars Schimmer" <l.schimmer@cgv.tugraz.at>
Date: Tue, 30 Jan 2007 10:44:59 -0600
Cc: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Lars Schimmer <l.schimmer@cgv.tugraz.at> wrote:
> Christopher D. Clausen wrote:
>> Lars Schimmer <l.schimmer@cgv.tugraz.at> wrote:
>>> Thanks for the link.
>>> Maybe I don4t get it right on my thoughts.
>>> Setup here:
>>> AD with 1 server and x clients
>>> krb5 server on debian on extra machine
>>
>> So you have an Active Directory domain that the Windows machines are
>> on?
>
> Yes, there is a AD domain in which the PCs are.
>
>> And a seperate Kerberos Realm for the Linux machines?
>
> The REALM is the same as the AD domain (both are CGV.TUGRAZ.AT ir in
> lower case cgv.tugraz.at)

Okay, this sounds bad.  You'll likely need to rename either the domain 
or the realm.  (I believe there is a Windows tool to rename a domain.)

Maybe someone else has an idea for you?  I don't think you can even 
setup a realm trust if the realm names are the same b/c the cross-realm 
TGT (krbtgt) would overwrite the current realms TGT.

>> Do you have a realm trust between these?  B/c its not likely to work
>> if you don't.
>
> There is no realm trust between both (which are the same).
> I use cgv.tugraz.at as a AD domain for login and CGV.TUGRAZ.AT for
> obtaining tickets/tokens.

You cannot have this work just b/c the realms are the same.  There needs 
to be a trust setup between the realms, or you need to have ALL your 
non-Windows machines also use the Windows domain as a KDC instead of the 
MIT one.

And please reply to the list and not to me directly.

<<CDC 


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post