A few months ago I started aproject to allow a Windows domain to trust
another windows domain that trusts an MIT Kerberos Realm for user logons.
An example of this setup would be
SCHOOL.EDU <- our MIT Realm
AD.SCHOOL.EDU <- the Windows domain that trusts the MIT Realm
OTHER.AD.SCHOOL.EDU <- a trusting windows domain
All of the Windows servers are Windows Server 2003.
We have established a forest trust between the two Windows domains/forests,
entered a new Domain Suffix in AD.SCHOOL.EDU for SCHOOL.EDU, established a
REALM Trust between AD.SCHOOL.EDU and SCHOOL.EDU, used KSETUP or registry
entries to add the references to the KDCs for SCHOOL.EDU on the
workstations in OTHER.AD.UPENN.EDU. Additionally users in AD.SCHOOL.EDU
have a name mapping to their MIT kerberos principal.
In this setup, someone with a user account in AD.SCHOOL.EDU can walk up to
a workstation in OTHER.AD.SCHOOL.EDU, and enter their MIT kerberos
principal and password, and select SCHOOL.EDU(Kerberos Realm) from the "Log
on to:" box and be authenticated as their user account in AD.SCHOOL.EDU.
The preceding solution works great, but I've found that if we establish a
trust to a domain such as DOMAIN.SCHOOL.EDU (not in the same DNS hierarchy
as AD.SCHOOL.EDU) then user logons fail.
I've gone as far as setting up 2 other domains in a different DNS hierarchy
and then swapping the trust around between the 4 and it's definitely
something to do with how the domains are arranged DNS-wise. None of them
are in the same forests, so It seems like some parent DNS suffix fallback
that's being applied, but I have no idea where to look.
Any ideas?
thanks
andrew
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
