[27305] in Kerberos
Re: putty/winscp with gssapi/krb5 ticket forwarding
daemon@ATHENA.MIT.EDU (Christopher D. Clausen)
Tue Jan 30 11:55:05 2007
Message-ID: <118501c7448e$f0b1fdf0$0100a8c0@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: "Lars Schimmer" <l.schimmer@cgv.tugraz.at>
Date: Tue, 30 Jan 2007 10:44:59 -0600
Cc: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Lars Schimmer <l.schimmer@cgv.tugraz.at> wrote:
> Christopher D. Clausen wrote:
>> Lars Schimmer <l.schimmer@cgv.tugraz.at> wrote:
>>> Thanks for the link.
>>> Maybe I don4t get it right on my thoughts.
>>> Setup here:
>>> AD with 1 server and x clients
>>> krb5 server on debian on extra machine
>>
>> So you have an Active Directory domain that the Windows machines are
>> on?
>
> Yes, there is a AD domain in which the PCs are.
>
>> And a seperate Kerberos Realm for the Linux machines?
>
> The REALM is the same as the AD domain (both are CGV.TUGRAZ.AT ir in
> lower case cgv.tugraz.at)
Okay, this sounds bad. You'll likely need to rename either the domain
or the realm. (I believe there is a Windows tool to rename a domain.)
Maybe someone else has an idea for you? I don't think you can even
setup a realm trust if the realm names are the same b/c the cross-realm
TGT (krbtgt) would overwrite the current realms TGT.
>> Do you have a realm trust between these? B/c its not likely to work
>> if you don't.
>
> There is no realm trust between both (which are the same).
> I use cgv.tugraz.at as a AD domain for login and CGV.TUGRAZ.AT for
> obtaining tickets/tokens.
You cannot have this work just b/c the realms are the same. There needs
to be a trust setup between the realms, or you need to have ALL your
non-Windows machines also use the Windows domain as a KDC instead of the
MIT one.
And please reply to the list and not to me directly.
<<CDC
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos