[31899] in Kerberos
Krb5.conf in multi domain/forest environment
daemon@ATHENA.MIT.EDU (antti.ropponen@accenture.com)
Tue Jan 12 02:51:55 2010
From: <antti.ropponen@accenture.com>
To: <kerberos@mit.edu>
Date: Tue, 12 Jan 2010 08:51:38 +0100
Message-ID: <7C5AAB484E9277419C3B2B0CEA08E24201A41B98767A@EMEXM3113.dir.svc.accenture.com>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0770209191=="
Errors-To: kerberos-bounces@mit.edu
--===============0770209191==
Content-Language: en-US
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=SHA1; boundary="----=_NextPart_000_007C_01CA936D.8CC2DEA0"
------=_NextPart_000_007C_01CA936D.8CC2DEA0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Hi,
I need to setup Kerberos client for over 50 domains in 3 forests, where
there is a two-way forest level trust. The Kerberos client has an account in
one of the forests. SPNEGO works just fine when an end-user is in the same
domain/forest as the Kerberos client, but fails if the end-user is in a
different domain/forest.
>From the documentation I know that while there is a forest level trust, this
is doable. The problem is that I don't know how to configure Kerberos to
enable this functionality.
Does anyone have an experience how Kerberos client can/should be configured
in an environment like this? Or is the only way to create over 50 accounts
for the Kerberos client into those separate domains, merge keytabs and list
all the domains & realms in the Kerberos configuration?
Regards,
Antti
------=_NextPart_000_007C_01CA936D.8CC2DEA0
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIP5TCCA3ow
ggLjoAMCAQICEQDLS2xYKSkBc5MwpZizRww6MA0GCSqGSIb3DQEBBQUAMIGHMRMwEQYKCZImiZPy
LGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJYWNjZW50dXJlMRMwEQYKCZImiZPyLGQBGRYDc3Zj
MRMwEQYKCZImiZPyLGQBGRYDZGlyMQ8wDQYDVQQLEwZQZW9wbGUxGjAYBgNVBAMTEUFjY2VudHVy
ZSBSb290IENBMB4XDTAyMDIyNTIxMzQ1NloXDTIyMDIyNzExMzQ1NlowgYcxEzARBgoJkiaJk/Is
ZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFglhY2NlbnR1cmUxEzARBgoJkiaJk/IsZAEZFgNzdmMx
EzARBgoJkiaJk/IsZAEZFgNkaXIxDzANBgNVBAsTBlBlb3BsZTEaMBgGA1UEAxMRQWNjZW50dXJl
IFJvb3QgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKsZMd9KJVtvTtbiNw3U3Txrbjnx
ZAgQn5dRWfINf0aC56RasKu5b3OCFYzgh121lMg4lGjQWXiMDSejzrPAd+AeXqHGJG6XY+hFUOMh
9JClqu2R4C4e9TFvm+82pECKl62G2MScm8b1iwNOx3kbesUo6PxKf/zh+nR4Nt+GHDIFAgMBAAGj
geMwgeAwDwYDVR0TAQH/BAUwAwEB/zBBBgNVHSAEOjA4MDYGDCqGSIb3FAG+QAkBRTAmMCQGCCsG
AQUFBwIBFhhodHRwOi8vY3BzLmFjY2VudHVyZS5jb20wegYDVR0fBHMwcTBGoESgQqRAMD4xPDA6
BgNVBAMTM2NuPWNybDIsb3U9UGVvcGxlLGRjPWRpcixkYz1zdmMsZGM9YWNjZW50dXJlLGRjPWNv
bTAnoCWgI4YhaHR0cDovL2NybC5hY2NlbnR1cmUuY29tL3Jvb3QuY3JsMA4GA1UdDwEB/wQEAwIB
xjANBgkqhkiG9w0BAQUFAAOBgQAoKFoc3pO5+8pvvKZ9vENGnPz8aD7zGvroESX24LQfRAQ1afJg
MrE1wVfiLLd/si+ScEbcLLQIBLv21e+xiFrZr3ymbTpDOblP55LRzzmQKDU1COeZICyP2ed02uhF
B4GLWpr4V7VqHFXPqDUUJpYybvWhL2bJClidbFO1ph9oGTCCA34wggLnoAMCAQICEFuoSajQMNQY
78zsoCOUg5YwDQYJKoZIhvcNAQEFBQAwgYcxEzARBgoJkiaJk/IsZAEZFgNjb20xGTAXBgoJkiaJ
k/IsZAEZFglhY2NlbnR1cmUxEzARBgoJkiaJk/IsZAEZFgNzdmMxEzARBgoJkiaJk/IsZAEZFgNk
aXIxDzANBgNVBAsTBlBlb3BsZTEaMBgGA1UEAxMRQWNjZW50dXJlIFJvb3QgQ0EwHhcNMDIwMjI2
MDI0MjE1WhcNMjIwMjIyMjM0MDQ3WjCBijETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT
8ixkARkWCWFjY2VudHVyZTETMBEGCgmSJomT8ixkARkWA3N2YzETMBEGCgmSJomT8ixkARkWA2Rp
cjEPMA0GA1UECxMGUGVvcGxlMR0wGwYDVQQDExRBY2NlbnR1cmUgQ0EgQ2xhc3MgQTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAr8pSIa+lkr0tKYdyamx5AurKkev6UGxAZz6mA4RL7crSe9nI
lZ7DV3BCS7xd+67QfmQWEDiFtNCS9xKWuS9x+PGDK31Td9gsGrohxDp8tifzT+TA3tO7uk8iHuMM
gERkQhCWQP3RiDfW7V89gEea49k78cywGAAX/1Pii9iIchMCAwEAAaOB5TCB4jAPBgNVHRMBAf8E
BTADAQH/MEEGA1UdIAQ6MDgwNgYMKoZIhvcUAb5ACQFEMCYwJAYIKwYBBQUHAgEWGGh0dHA6Ly9j
cHMuYWNjZW50dXJlLmNvbTB8BgNVHR8EdTBzMEagRKBCpEAwPjE8MDoGA1UEAxMzY249Y3JsMSxv
dT1QZW9wbGUsZGM9ZGlyLGRjPXN2YyxkYz1hY2NlbnR1cmUsZGM9Y29tMCmgJ6AlhiNodHRwOi8v
Y3JsLmFjY2VudHVyZS5jb20vY2xhc3NhLmNybDAOBgNVHQ8BAf8EBAMCAcYwDQYJKoZIhvcNAQEF
BQADgYEAJiwcT+qsuedKtGSlfD8C9MEIFMuhQacW5GBSvZANlnkrHZ63aXZRCUogZQnOogl83jUs
vGiKsE8pATT7gN8VjHxjUyKKJZWhSSAPNoitVwtiNOqznHyrAdop65qbgroUAotkxiqi4A5n/XHE
EU177KtBk6h5sMUodtIj+PA/LdwwggRsMIID1aADAgECAhEA2iiJLSInWhg9Uw5rIDNOADANBgkq
hkiG9w0BAQUFADCBijETMBEGCgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCWFjY2Vu
dHVyZTETMBEGCgmSJomT8ixkARkWA3N2YzETMBEGCgmSJomT8ixkARkWA2RpcjEPMA0GA1UECxMG
UGVvcGxlMR0wGwYDVQQDExRBY2NlbnR1cmUgQ0EgQ2xhc3MgQTAeFw0wODA4MDcxMDU0NDBaFw0x
MDA4MDcxMDU0NDBaMIGEMRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJYWNj
ZW50dXJlMRMwEQYKCZImiZPyLGQBGRYDc3ZjMRMwEQYKCZImiZPyLGQBGRYDZGlyMQ8wDQYDVQQL
EwZQZW9wbGUxFzAVBgNVBAMTDmFudHRpLnJvcHBvbmVuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDKgf1nPBjWdwoWJWs3qzR0U/Ifhx7OAr2SMsQcrQfM+ZeE7pV3xPvjqt8hKvdQIXlq0k3y
fvv6ICHn6MMi3VycVe6DLQ1C1/LotGxiPL3/ar5xUbUOWskP19lHiTnVQDTVQD3o2zc/sXibQdDs
g1GuhkZdYqSHQRyIRN25bIPU1wIDAQABo4IB1DCCAdAwgYAGA1UdEQR5MHegLAYKKwYBBAGCNxQC
A6AeDBxhbnR0aS5yb3Bwb25lbkBhY2NlbnR1cmUuY29tgRxhbnR0aS5yb3Bwb25lbkBhY2NlbnR1
cmUuY29tpCkwJzElMCMGA1UEAwwcYW50dGkucm9wcG9uZW5AYWNjZW50dXJlLmNvbTAdBgNVHSUE
FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwRQYIKwYBBQUHAQEEOTA3MDUGCCsGAQUFBzAChilodHRw
czovL3Rva2VuLmFjY2VudHVyZS5jb20vYXV0aGluZm8uaHRtbDBCBgNVHSAEOzA5MDcGDCqGSIb3
FAG+QAkBRDAnMCUGCCsGAQUFBwIBFhlodHRwczovL2Nwcy5hY2NlbnR1cmUuY29tMGIGA1UdHwRb
MFkwKqAooCaGJGh0dHBzOi8vY3JsLmFjY2VudHVyZS5jb20vY2xhc3NhLmNybDAroCmgJ4YlaHR0
cHM6Ly9jcmwxLmFjY2VudHVyZS5jb20vY2xhc3NhLmNybDAdBgNVHQ4EFgQUMDEyMzQ1Njc4OWFi
Y2RlZmdoaWowCwYDVR0PBAQDAgeAMBEGCWCGSAGG+EIBAQQEAwIHgDANBgkqhkiG9w0BAQUFAAOB
gQAeOK2d7r7hj4mxPCz57w6/3g2cqPZYToOEku1r/Ck3hFklBFZh2zqedzYs2i9fpqatmsSVh/HL
9VJMRYrMkv1RyGAXpOPJcHD3Sgq56w/L6MFki7dpAHFY/hkh5KO2yRAH33d8nQ04IFgEQ/BPkIGw
IFaL6Le7zeujp2OiXgB4wDCCBHEwggPaoAMCAQICEQDHIPZPsTWy4BzCi1E38uhRMA0GCSqGSIb3
DQEBBQUAMIGKMRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJYWNjZW50dXJl
MRMwEQYKCZImiZPyLGQBGRYDc3ZjMRMwEQYKCZImiZPyLGQBGRYDZGlyMQ8wDQYDVQQLEwZQZW9w
bGUxHTAbBgNVBAMTFEFjY2VudHVyZSBDQSBDbGFzcyBBMB4XDTA4MDgwNzEwNTQ0NFoXDTEwMDgw
NzEwNTQ0MVowgYQxEzARBgoJkiaJk/IsZAEZFgNjb20xGTAXBgoJkiaJk/IsZAEZFglhY2NlbnR1
cmUxEzARBgoJkiaJk/IsZAEZFgNzdmMxEzARBgoJkiaJk/IsZAEZFgNkaXIxDzANBgNVBAsTBlBl
b3BsZTEXMBUGA1UEAxMOYW50dGkucm9wcG9uZW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AKzrKTJf6M8OuaLzDQplsmdul9GTWK1jX2aR6t71MP8lUATcLk/epkxTvWz+PMta1xAxavi4u0Iq
eowY56YoDMcS5wQCOBwJgmDxkadbVRhGVffjd+sBsJxZE1P6nuhARYB6IitJG6ZqugSbGRshosEZ
Mn0IeY9XtnIl5hyetM1vAgMBAAGjggHZMIIB1TCBgAYDVR0RBHkwd6AsBgorBgEEAYI3FAIDoB4M
HGFudHRpLnJvcHBvbmVuQGFjY2VudHVyZS5jb22BHGFudHRpLnJvcHBvbmVuQGFjY2VudHVyZS5j
b22kKTAnMSUwIwYDVQQDDBxhbnR0aS5yb3Bwb25lbkBhY2NlbnR1cmUuY29tMB8GA1UdJQQYMBYG
CisGAQQBgjcKAwQGCCsGAQUFBwMEMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAoYpaHR0cHM6
Ly90b2tlbi5hY2NlbnR1cmUuY29tL2F1dGhpbmZvLmh0bWwwQgYDVR0gBDswOTA3BgwqhkiG9xQB
vkAJAUQwJzAlBggrBgEFBQcCARYZaHR0cHM6Ly9jcHMuYWNjZW50dXJlLmNvbTBiBgNVHR8EWzBZ
MCqgKKAmhiRodHRwczovL2NybC5hY2NlbnR1cmUuY29tL2NsYXNzYS5jcmwwK6ApoCeGJWh0dHBz
Oi8vY3JsMS5hY2NlbnR1cmUuY29tL2NsYXNzYS5jcmwwHQYDVR0OBBYEFCDoAaWjXPil5Sv0YaX5
CEmygwN/MBEGCWCGSAGG+EIBAQQEAwIFIDAOBgNVHQ8BAf8EBAMCAzgwDQYJKoZIhvcNAQEFBQAD
gYEATta+w1BmnT44Zt0QWP12pYQ+U2hYxDUjMvNsvkl184vHiZQ5qYEAvMT65WbV7jyyxdrf0CNo
x205iDm8Ob9+qW56VfCqVISgpTXkDBahxHiIYn8i9yhx7MeoNWo5tqqNdOonhMbsGkomyrpK1uT9
f01J50QJp32tl7/W/oMZ/ZwxggPMMIIDyAIBATCBoDCBijETMBEGCgmSJomT8ixkARkWA2NvbTEZ
MBcGCgmSJomT8ixkARkWCWFjY2VudHVyZTETMBEGCgmSJomT8ixkARkWA3N2YzETMBEGCgmSJomT
8ixkARkWA2RpcjEPMA0GA1UECxMGUGVvcGxlMR0wGwYDVQQDExRBY2NlbnR1cmUgQ0EgQ2xhc3Mg
QQIRANooiS0iJ1oYPVMOayAzTgAwCQYFKw4DAhoFAKCCAoEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTAwMTEyMDc1NjQ1WjAjBgkqhkiG9w0BCQQxFgQUXT1wmHLP
RRw1Esja57cJ5Kdrhm0wgbEGCSsGAQQBgjcQBDGBozCBoDCBijETMBEGCgmSJomT8ixkARkWA2Nv
bTEZMBcGCgmSJomT8ixkARkWCWFjY2VudHVyZTETMBEGCgmSJomT8ixkARkWA3N2YzETMBEGCgmS
JomT8ixkARkWA2RpcjEPMA0GA1UECxMGUGVvcGxlMR0wGwYDVQQDExRBY2NlbnR1cmUgQ0EgQ2xh
c3MgQQIRAMcg9k+xNbLgHMKLUTfy6FEwgbMGCyqGSIb3DQEJEAILMYGjoIGgMIGKMRMwEQYKCZIm
iZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJYWNjZW50dXJlMRMwEQYKCZImiZPyLGQBGRYD
c3ZjMRMwEQYKCZImiZPyLGQBGRYDZGlyMQ8wDQYDVQQLEwZQZW9wbGUxHTAbBgNVBAMTFEFjY2Vu
dHVyZSBDQSBDbGFzcyBBAhEAxyD2T7E1suAcwotRN/LoUTCBtwYJKoZIhvcNAQkPMYGpMIGmMAsG
CWCGSAFlAwQBKjALBglghkgBZQMEARYwCgYIKoZIhvcNAwcwCwYJYIZIAWUDBAECMA4GCCqGSIb3
DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMCGjAL
BglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQCATAKBggqhkiG9w0CBTANBgkqhkiG
9w0BAQEFAASBgMVfIeS5u5wHrpWabJa8738Q5jJdmI3qS2aqb76GMS+YwpBLucKMKoR1I7lS7PCP
nn1u4NNElZDkIL0Daa1JEkDXALkMyvFvDtExVy7+esibEBGmfKHD+ui5mtngr+lKUsFgqh+FNPwr
EPLt8sciOcGHpPugCKpW9V2jQeUC3JHQAAAAAAAA
------=_NextPart_000_007C_01CA936D.8CC2DEA0--
--===============0770209191==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0770209191==--
