[27765] in Kerberos
Joining a multiple realm AD environment
daemon@ATHENA.MIT.EDU (Chris Penney)
Fri May 11 12:36:43 2007
Message-ID: <111aefd0705110719q41b619eew55d5377246f08a3b@mail.gmail.com>
Date: Fri, 11 May 2007 10:19:24 -0400
From: "Chris Penney" <penney@msu.edu>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
At our site we have multiple AD realms (LOC1.DOM.COM, LOC2.DOM.COM,
etc.) that all trust each other. There are users setup in each realm
that need to access the Linux systems I maintain. Today, we have a
completely independent realm (with our own principle for each user)
that I want to do away with and just join the AD structure (ie. be
assimilated ;) ).
I have proven that with krb5-1.5.3 I can set my default realm to
LOC1.DOM.COM and effectively login (my account is in LOC1). Users
from other realms cannot. I'm curious what I need to do to make this
work. We have SRV records setup for kdc lookup. I have not yet
created a computer account for the system. In /etc/krb5.conf I have:
[libdefaults]
default_realm = LOC1.DOM.COM
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
[realms]
LOC1.DOM.COM = {
auth_to_local = RULE:[1:$1@$0](.*@LOC2\.DOM\.COM)s/@.*//
auth_to_local = DEFAULT
}
LOC2.DOM.COM = {
auth_to_local = RULE:[1:$1@$0](.*@LOC1\.DOM\.COM)s/@.*//
auth_to_local = DEFAULT
}
This doesn't seem to work. Using 'tcpdump port kerberos' when a user
in LOC2 logs in I only see LOC1 being queried. I'm curious if I'm
doing something wrong or if I simply need to get a computer account
created for the box before trusts work. I was hopeing to not approach
the AD staff until I was more or less certain I knew what needed to be
done.
Thanks,
Chris
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
