[32988] in Kerberos
Re: some cross-realm trust questions
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sun Dec 26 14:53:14 2010
From: Russ Allbery <rra@stanford.edu>
To: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
In-Reply-To: <if45dt$2hkq$1@relay.tomsk.ru> (Victor Sudakov's message of "Sat,
25 Dec 2010 07:10:53 +0000 (UTC)")
Date: Sun, 26 Dec 2010 11:53:05 -0800
Message-ID: <878vzc5n1a.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su> writes:
> 2. Are there any success stories of servers in a Heimdal realm
> authenticating users from a trusted Microsoft AD based realm?
Yes, we do this.
> Is there a documentation how to setup such one way trust?
We have a bidirectional trust, but I think the setup is substantially the
same. It's just like a regular bidirectional trust, except you would then
delete the krbtgt principal for the Active Directory realm from the
Heimdal realm.
There's a section in the Heimdal manual on setting up cross-realm trust.
On the Active Directory side, I've not done it personally, but:
http://technet.microsoft.com/en-us/library/cc738617%28WS.10%29.aspx
looks like the right documentation, and I think you want one-way incoming
if I understand that properly.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
