[30530] in Kerberos
Re: Multiple realms in one krb5.conf
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Mon Dec 15 11:53:06 2008
Message-ID: <49468B4D.8060707@anl.gov>
Date: Mon, 15 Dec 2008 10:52:29 -0600
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: james.chavez@sanmina-sci.com
In-Reply-To: <1229357340.4314.16.camel@PHX1AMUX269160.sanmina-sci.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
James Chavez wrote:
> Hello list,
>
> I have a question that I need assistance with.
>
> I have a Windows 2003 AD setup.
> The forest consists of 3 domains.
> So the we will say the name is
> example.com and there are 3 domains.
>
> america.example.com
> asia.example.com
> europe.example.com
>
> Is it possible to configure the krb5.conf on a station so that kerberos
> can service login requests for each of the 3 domains?
Maybe, but it is not clear what you mean.
> Is this as simple as adding an entry for each realm in the realms
> section of the krb5.conf file.
That is part of it, although DNS could be used to find the realms.
You say logins, so I as assuming that the station is Unix based.
Login would use PAM with a pam_krb5, and the station above will
need to have a principal in one of the realms and a keytab
to match.
But if a user is in one AD doamin and the server is in a different
AD domain, this would be cross realm and the pam_krb5 would have
to so some additional checks.
Kerberos only does authentication you still need to authorize
the user to login.
Start here, as this gives the basic concepts:
http://technet.microsoft.com/en-us/library/bb742433.aspx
>
>
> Thank you
> James
>
> CONFIDENTIALITY
> This e-mail message and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail message, you are hereby notified that any dissemination, distribution or copying of this e-mail message, and any attachments thereto, is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender and permanently delete the original and any copies of this email and any prints thereof.
> ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform Electronic Transactions Act or the applicability of any other law of similar substance and effect, absent an express statement to the contrary hereinabove, this e-mail message its contents, and any attachments hereto are not intended to represent an offer or acceptance to enter into a contract and are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or any of its subsidiaries), or any other person or entity.
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
