[27798] in Kerberos
Re: Joining a multiple realm AD environment
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Sun May 20 13:33:49 2007
Message-ID: <464E1386.4010807@anl.gov>
Date: Fri, 18 May 2007 15:58:46 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: Chris Penney <penney@msu.edu>
In-Reply-To: <111aefd0705180943g699cf03fh5142e1dfbcba181e@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Chris Penney wrote:
> On 5/17/07, Douglas E. Engert <deengert@anl.gov> wrote:
>> Whoses pam_krb5? Russ Allbery's has some extra options that might
>> try both realms.
>
>
> On 5/17/07, Markus Moeller <huaraz@moeller.plus.com> wrote:
>> You need entries like (assuming that users are uniq over both domains
>> and you have more users in LOC1.DOM.COM)
>> other auth sufficient pam_krb5 REALM=LOC1.DOM.COM
>> other auth sufficient pam_krb5 REALM=LOC2.DOM.COM
Note that the LOC1.DOM.COM AD logs may show a lot of failures
for missing users or bad passwords, and may lock a user account.
>
> Ah! I see. I used the pam_krb5 that Douglas noted and the pam config
> lines you noted and it works basically as intended.
>
> Do you still have to do this even if you add the system to AD via a
> "User" account?
Microsoft used a mis-leading term when they said to add the machine as
a "user". You are adding a service principal for the machine into a
realm. With AD that also means it needs an account, which looks like
a "user" account, but in Kerberos terms has nothing to do with the user.
So each user must be registered with a principal and (AD account), and
each service must be registered with a principal and its own AD account).
If you have cross realm setup then each user only needs to be in one realm,
and each service only needs to be in one realm.
You did not indicate that you have cross realm set up. i.e. the ADs have
some cross domain trust. But if it works as intended, then it must.
A klist would show an extra TGT like krbtgt/LOC1.DOM.COM@LOC2.DOM.COM
>
> Thanks!
>
> Chris
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
