Okay, let me see if I understand.
The UX realm is MIT Kerberos, and the host/* key in the keytab for the
host is in the UX realm? But the default realm listed in krb5.conf is the
AD realm?
Correct.
If you kinit to the principal in the AD realm, and then run:
kvno host/<system>
where<system> is the local FQDN, are you able to obtain cross-realm
service tickets for the host key for that system?
Yes I am:
$ kvno host/<system>@<UX realm>
host/<system>@<UX realm>: kvno = 3
But I cannot obtain a cross-realm ticket if I remove the "allow_weak_crypto =
true" directive:
$ kdestroy
$ kinit
Password for salzmann@<AD realm>:
$ kvno host/host/<system>@<UX realm>
kvno: KDC has no support for encryption type while getting credentials for
host/host/<system>@<UX realm>
It may be that the MIT Kerberos code isn't doing cross-realm ticket
verification properly, but I do think this is supposed to work. You may
have a missing domain_realm mapping, though. Do you have any domain_realm
settings for the hostname of the server in /etc/krb5.conf?
We have been running this cross-realm setup for years. We even migrated
successfully to a new AD realm and a new UX realm. At the moment, a few hundred
production hosts (pure lenny) work this way: users live in AD world, machines
in UX world.
ciao
Christian
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
