Digant Kasundra wrote: > > > That is the only way to do it. There is no term called > > "pass-through" authentication within Kerberos. The > > authentication between the MIT and Microsoft realms are based > > on cross-realm trusts. This is exactly what is described on the page: > > I guess I am using the phrase "pass-through" authentication as it is > referenced below: > > http://acd.ucar.edu/~fredrick/linux/kerberos/testbed.html > > (e.g. a workstation on a domain authning against Krb and authzing against AD > as opposed to a standalone workstation doing the same thing). > > Sorry for my misunderstandings. > > That being the case, when a user tries to login using [EMAIL PROTECTED], > I do see a request hit the KDC but the user still does not get logged in. > According to the logs, I see an AS_REQ "[EMAIL PROTECTED] for > krbtgt/[EMAIL PROTECTED]".
Yes that is the first step. This would then be used by the workstation to get a ticket for the workstation if the workstation is in the same realm as the user. If not this would be used to get a krbtgt. > In my principles on the KDC machine > (montyburns), I have [EMAIL PROTECTED], krbtgt/[EMAIL PROTECTED], > krbtgt/[EMAIL PROTECTED] and krbtgt/[EMAIL PROTECTED] (as well as the > kadmin ones that are created at install). > > What else should I look at? Is the workstation part of a domain? What does ksetup on the workstion show? > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
