[32992] in Kerberos
Re: some cross-realm trust questions
daemon@ATHENA.MIT.EDU (Victor Sudakov)
Mon Dec 27 10:50:30 2010
From: Victor Sudakov <vas@mpeks.no-spam-here.tomsk.su>
Date: Mon, 27 Dec 2010 05:14:32 +0000 (UTC)
Message-ID: <if97bo$cv6$1@relay.tomsk.ru>
X-Complaints-To: noc@sibptus.tomsk.ru
X-Comment-To: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Russ Allbery wrote:
> > 2. Are there any success stories of servers in a Heimdal realm
> > authenticating users from a trusted Microsoft AD based realm?
> Yes, we do this.
I am just curious. What Windows client programs and Unix server
programs (or vice versa) must you use? How do you use this trust?
I am trying to setup a trust so that MSIE users could have a SSO to a
site running Apache on FreeBSD but I don't know yet if the game is
worth the candle.
> > Is there a documentation how to setup such one way trust?
> We have a bidirectional trust, but I think the setup is substantially the
> same. It's just like a regular bidirectional trust, except you would then
> delete the krbtgt principal for the Active Directory realm from the
> Heimdal realm.
> There's a section in the Heimdal manual on setting up cross-realm trust.
> On the Active Directory side, I've not done it personally, but:
> http://technet.microsoft.com/en-us/library/cc738617%28WS.10%29.aspx
This documentation seems incomplete because it does not mention some
issues with a non-Windows realm. I have another link:
http://technet.microsoft.com/en-us/library/bb742433.aspx
But it still escapes me how on earth I will end up with
krbtgt/UNIX.REALM@WINDOWS.REALM and krbtgt/WINDOWS.REALM@UNIX.REALM
having the same key. There is nothing in the above articles about
exporting and importing keytabs.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
