[28516] in Kerberos
Re: cross realm and capaths question
daemon@ATHENA.MIT.EDU (Christopher D. Clausen)
Mon Oct 1 11:49:25 2007
Message-ID: <5D8D4DC0754E4E1EA96378A222D304E5@CDCHOME>
From: "Christopher D. Clausen" <cclausen@acm.org>
To: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Mon, 1 Oct 2007 10:40:17 -0500
Cc: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Douglas E. Engert <deengert@anl.gov> wrote:
> Markus Moeller wrote:
>>> TGS-REP error_code: KRB5KDC_ERR_PATH_NOT_ACCEPTED (28)
>
> This looks like AD is checking the transited path, and does not like
> it. RFC4120 section 2.7 does not require the KDC to check the
> transited field, and the client may even ash the KDC to not check it,
> with the DISABLE-TRANSITED-CHECK flag, but the KDC may still check.
>
> AD does a lot more with trust the the MIT KDCs and may treat forests
> and external realms differently. In your diagram, you are trying to
> context TEST.COM not at the forest root. In most of the Microsoft
> documents they talk about connecting forests at the root.
>
> They talk about the different types of trust. I don't see
> "External Transitive" which is what I think you are trying to do.
> Although Realm Trust looks very close, but TGEST.COM is AD, not
> Kerberos.
>
> Can you connect TEST.COM to TOP.COM? This woulf be forest trust.
> Or can rename you TEST.COM to TEST.DOM1.TOP.COM and have it join the
> forest? Then AD should not have any problems,and you would not need
> the capaths, as the default ist to go up the tree then back down.
The AD domain to non-AD domain trust likely needs to be changed to a
"transitive" trust using the netdom.exe tool.
for example:
netdom trust <AD domain> /ForestTRANsitive /domain <non-AD domain>
<<CDC
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos