[19043] in Kerberos
RE: Authentication to realms of a tree
daemon@ATHENA.MIT.EDU (Marigomen, Ted {Info~Palo Alto})
Thu Apr 10 13:39:30 2003
Date: Thu, 10 Apr 2003 10:36:31 -0700
From: "Marigomen, Ted {Info~Palo Alto}" <TED.MARIGOMEN@ROCHE.COM>
To: kerberos@mit.edu
Message-id: <6A39BF27EAB27743887E0425BD51196B37FFED@rplmsem1.nala.roche.com>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
content-class: urn:content-classes:message
Content-Transfer-Encoding: 8bit
Errors-To: kerberos-bounces@mit.edu
> -----Original Message-----
> From: hwntw
> Sent: Saturday, April 05, 2003 5:43 AM
> To: kerberos@MIT.EDU
> Subject: Re: Authentication to realms of a tree
>
>
> ("Marigomen, Ted {Info~Palo Alto}")
> wrote in message
>
> > Hi all,
> >
> > I have setup kerberos clients of various unix flavors (RH
> linux 7.3,
> > Solaris 8, HPUX 11) to authenticate to our Active
> Directory. However,
> > the clients can only authenticate (and kpasswd) to the
> realm specified
> > in the default_realm, not to all the realms of the tree
> default_realm
> > is a part of.
> >
> > First of all, does kerberos have this capability? If so, what am I
> > missing?
> >
> > Our tree consists of various domains (i.e. DOM1.COMP.COM,
> > DOM2.COMP.COM,
> > DOM3.COMP.COM) which are part of COMP.COM. There are DC's
> in all of the
> > various domains but not in COMP.COM. If default_realm is set to
> > DOM1.COMP.COM, only users of that domain can authenticate.
> Conversely,
> > if default_realm is set to DOM2.COMP.COM, only users of
> that domain can
> > authenticate.
> >
> This begs the questions- how did you get the whole thing to
> work in the first place? What did you do at the AD end? Did
> you use SFU? Or AD4unix? I am very keen to know how you did it. Hwntw
I wish I knew. Because of division of labor, our AD, the DC's, the
whole tree is maintained and strictly governed by another group, near
the headquarters in another continent. I just followed Microsoft's
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbstep
s.asp and tested it and authentication worked. Then I read lots of list
archives and SEAM and MIT Kerberos docs to understand how it worked.
> > I need only authentication for now. And, since our users travel,
> > users of a certain domain may use a computer of a different domain.
> >
> > RH Linux 7.3 pam_krb5-1.55-1
> > HPUX 11 PAM Kerberos v1.10
> > Solaris 8 SEAM 1.0.1
> >
> >
> > /etc/krb5.conf:
> >
> > [libdefaults]
> > default_realm = DOM1.COMP.COM
> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> >
> > [realms]
> > DOM1.COMP.COM = {
> > kdc = kdcdom1.dom1.comp.com
> > kpasswd_protocol = SET_CHANGE
> > kpasswd_server = kdcdom1.dom1.comp.com
> > admin_server = kdcdom1.dom1.comp.com
> > }
> > DOM2.COMP.COM = {
> > kdc = kdcdom2.dom2.comp.com
> > kpasswd_protocol = SET_CHANGE
> > kpasswd_server = kdcdom2.dom2.comp.com
> > admin_server = kdcdom2.dom2.comp.com
> > }
> > [domain_realm]
> > .dom1.comp.com = DOM1.COMP.COM
> > dom1.comp.com = DOM1.COMP.COM
> > .dom2.comp.com = DOM2.COMP.COM
> > dom2.comp.com = DOM2.COMP.COM
> >
> > [logging]
> > default = FILE:/var/krb5/kdc.log
> > kdc = FILE:/var/krb5/kdc.log
> > kdc_rotate = {
> > period = 1d
> > versions = 10
> > }
> >
> > [appdefaults]
> > kinit = {
> > renewable = true
> > forwardable= true
> > }
> > rlogin = {
> > forwardable= true
> > }
> > rsh = {
> > forwardable= true
> > }
> > telnet = {
> > autologin = true
> > forwardable= true
> > }
> >
> >
> > Thanks
> > Ted
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
