[27784] in Kerberos
Re: Joining a multiple realm AD environment
daemon@ATHENA.MIT.EDU (Chris Penney)
Thu May 17 00:25:24 2007
Message-ID: <111aefd0705161928r108b4a35yb9d9b679e45fb2df@mail.gmail.com>
Date: Wed, 16 May 2007 22:28:55 -0400
From: "Chris Penney" <penney@msu.edu>
To: kerberos@mit.edu
In-Reply-To: <111aefd0705110719q41b619eew55d5377246f08a3b@mail.gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 5/11/07, Chris Penney <penney@msu.edu> wrote:
> Hello,
>
> At our site we have multiple AD realms (LOC1.DOM.COM, LOC2.DOM.COM,
> etc.) that all trust each other. There are users setup in each realm
> that need to access the Linux systems I maintain. Today, we have a
> completely independent realm (with our own principle for each user)
> that I want to do away with and just join the AD structure (ie. be
> assimilated ;) ).
>
> I have proven that with krb5-1.5.3 I can set my default realm to
> LOC1.DOM.COM and effectively login (my account is in LOC1). Users
> from other realms cannot. I'm curious what I need to do to make this
> work. We have SRV records setup for kdc lookup. I have not yet
> created a computer account for the system. In /etc/krb5.conf I have:
>
> [libdefaults]
> default_realm = LOC1.DOM.COM
> dns_lookup_kdc = true
> dns_lookup_realm = false
> forwardable = true
>
> [realms]
> LOC1.DOM.COM = {
> auth_to_local = RULE:[1:$1@$0](.*@LOC2\.DOM\.COM)s/@.*//
> auth_to_local = DEFAULT
> }
> LOC2.DOM.COM = {
> auth_to_local = RULE:[1:$1@$0](.*@LOC1\.DOM\.COM)s/@.*//
> auth_to_local = DEFAULT
> }
>
> This doesn't seem to work. Using 'tcpdump port kerberos' when a user
> in LOC2 logs in I only see LOC1 being queried. I'm curious if I'm
> doing something wrong or if I simply need to get a computer account
> created for the box before trusts work. I was hopeing to not approach
> the AD staff until I was more or less certain I knew what needed to be
> done.
Any comments on this or would anyone have any idea where I can go to
perhaps find a solution to this?
Thanks!
Chris
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
