[27799] in Kerberos
Re: Joining a multiple realm AD environment
daemon@ATHENA.MIT.EDU (Chris Penney)
Sun May 20 13:34:07 2007
Message-ID: <111aefd0705190626h6c952d1ap12f9348c69876f91@mail.gmail.com>
Date: Sat, 19 May 2007 09:26:47 -0400
From: "Chris Penney" <penney@msu.edu>
To: kerberos@mit.edu
In-Reply-To: <464E1386.4010807@anl.gov>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 5/18/07, Douglas E. Engert <deengert@anl.gov> wrote:
>
> Chris Penney wrote:
> >
> > Ah! I see. I used the pam_krb5 that Douglas noted and the pam config
> > lines you noted and it works basically as intended.
> >
> > Do you still have to do this even if you add the system to AD via a
> > "User" account?
>
> Microsoft used a mis-leading term when they said to add the machine as
> a "user". You are adding a service principal for the machine into a
> realm. With AD that also means it needs an account, which looks like
> a "user" account, but in Kerberos terms has nothing to do with the user.
>
> So each user must be registered with a principal and (AD account), and
> each service must be registered with a principal and its own AD account).
>
> If you have cross realm setup then each user only needs to be in one realm,
> and each service only needs to be in one realm.
>
> You did not indicate that you have cross realm set up. i.e. the ADs have
> some cross domain trust. But if it works as intended, then it must.
> A klist would show an extra TGT like krbtgt/LOC1.DOM.COM@LOC2.DOM.COM
Yes, LOC1 and LOC2 trust each other, though I'm not clear that I'm
leveraging that. When I say working as intended it's probably
incorrect. I just mean that if I have an entry in the pam config file
for each realm all users can login simply because pam trys user@LOC1
then user@LOC2, etc.
Is this a normal way of handing this? Is setting up .k5login with
user@LOCx the best way to avoid iterating through all the realms?
Chris
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
