[29771] in Kerberos
cross domain trusts
daemon@ATHENA.MIT.EDU (Montenegro, Michael H (Michael))
Mon Apr 28 22:52:58 2008
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Mon, 28 Apr 2008 16:31:09 -0500
Message-ID: <2913A3558D148A4FB0B9C1F5AB6B47C40220A603@ILEXC1U03.ndc.lucent.com>
From: "Montenegro, Michael H (Michael)" <mhm4@alcatel-lucent.com>
To: <Kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I have a question regarding trusted AD domains (realms) with
mod_auth_kerb v5.3. I have reviewed the auth_mod_kerb site and checked
various forums but I couldn't locate a solution.
My environment:
Multiple Windows 2003 SP1 AD domains that are trusted between them.
MIT Kerberos 1.6.3
Apache 2.0.59
Mod_auth_kerb v5.3
The domain abc.domain.com has the HTTP service principle and I can
authenticate successfully all AD users in the abc.domain.com using a web
site protected by mod_auth_kerb.
The problem is when a user in another domain, example xyz.domain.com
tries to access the site they are prompted with a login screen.
The apache log only shows:
[Fri Apr 25 12:28:41 2008] [debug] src/mod_auth_kerb.c(1485): [client
xxx.xxx.x.x] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
However a successful connection to abc.domain.com shows:
[Fri Apr 25 12:28:50 2008] [debug] src/mod_auth_kerb.c(1485): [client
xxx.xxx.x.x] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri Apr 25 12:28:50 2008] [debug] src/mod_auth_kerb.c(1485): [client
xxx.xxx.x.x] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Fri Apr 25 12:28:50 2008] [debug] src/mod_auth_kerb.c(1172): [client
xxx.xxx.x.x] Acquiring creds for
HTTP/webserver.domain.com@ABC.DOMAIN.COM
[Fri Apr 25 12:28:50 2008] [debug] src/mod_auth_kerb.c(1316): [client
xxx.xxx.x.x] Verifying client data using KRB5 GSS-API
[Fri Apr 25 12:28:50 2008] [debug] src/mod_auth_kerb.c(1332): [client
xxx.xxx.x.x] Verification returned code 0
[Fri Apr 25 12:28:50 2008] [debug] src/mod_auth_kerb.c(1350): [client
xxx.xxx.x.x] GSS-API token of length 161 bytes will be sent back
My .htaccess:
AuthType Kerberos
AuthName "Kerberos Login"
KrbServiceName HTTP/webserver.domain.com@ABC.DOMAIN.COM
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbVerifyKDC on
Krb5Keytab /etc/krb5.keytab
KrbAuthRealms ABC.DOMAIN.COM XYZ.DOMAIN.COM
require valid-user
My /etc/krb5.conf:
[libdefaults]
default_realm = ABC.DOMAIN.COM
ticket_lifetime = 24000
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
ABC.DOMAIN.COM = {
kdc = ad1.abc.domain.com.:88
kdc = ad1.abc.domain.com.:88
admin_server = ad1.abc.domain.com.:464
default_domain = abc.domain.com
}
XYZ.DOMAIN.COM = {
kdc = ad1.xyz.domain.com.:88
kdc = ad1.xyz.domain.com.:88
admin_server = ad1.xyz.domain.com.:464
default_domain = xyz.domain.com
}
[domain_realm]
.ad1.abc.domain.com = ABC.DOMAIN.COM
ad1.abc.domain.com = ABC.DOMAIN.COM
.ad1.xyz.domain.com = XYZ.DOMAIN.COM
ad1.xyz.domain.com = XYZ.DOMAIN.COM
ON the webserver:
I can successfully kinit user1@XYZ.DOMAIN.COM
I can successfully kinit user2@ABC.DOMAIN.COM
Do I need to have a HTTP service principle created on each AD domain? I
have also set the delegation on the AD service principle account to
"Trust this user for delegation to any service (Kerberos Only)"
The trust I have on the ABC.DOMAIN.COM is "Domains trusted by this
domain" :
Domain Name Trust type Transitive
XYZ.DOMAIN.COM External NO
Any help is greatly appreciated,
Michael
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
