I'm setting a multi-realm (Windows/Unix) environment. I think I've got it all figured out except for one thing.
How does the Windows KDC know that mymachine.unixnet.mycompany.com is in the realm UNIXNET.MYCOMPANY.COM? In the MIT implementation, client would have done this using [domain_realm] configuration in krb5.conf. Where does one configure this in the Windows (2003) server? I've got a separate KDC for the Unix realm and I'm doing referrals. I hope that, like krb5.conf, I can configure the mapping once for the entire DNS domain (e.g. [domain_realm] .unixnet.mycompany.com UNIXNET.MYCOMPANY.COM). ------------------------------------------------------ Here's the scenario in gory detail, I have two realms (or whatever Microsoft calls things in their world) WINDOWSNET.MYCOMPANY.COM and UNIXNET.MYCOMPANY.COM. My desktop is in WINDOWS.MYCOMPANY.COM. I'm going to do kerberos referrals, and I think I have that figured out. IE6 attempts to access http://mymachine.unixnet.mycompany.com/whatever.html. The server is kerberized a la SPNEGO. I've got enough set up so that I see the client request a ticket back the windows KDC for the service principal HTTP/[EMAIL PROTECTED] (with the fancy "canonicalize" bit set according to draft-ietf-krb-wg-kerberos-referrals-03). Now it's the server job to return a ticket for HTTP/[EMAIL PROTECTED] (note that it should change the realm to UNIXNET...) That's where I'm lost. I can't find any what to configure the domain/realm relationship. Will the server see the cross-realm trust and just assume that if there is a trust to UNIXNET.MYCOMPANY.COM, then mymachine.unixnet.mycompany.com must be a member of that realm? ----------------------------------------- ============================================================ The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any reproduction, dissemination or distribution of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Tellabs ============================================================ ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
