"Schikora, Dominik" wrote: > > HI > > > > We manage to achieve that User with a mapped Principal can > > login on a > > > client in the AD with the MIT Realm Principal and Password. > > He gets a > > > tgt for the MIT realm and one for the AD 2003 Domain. But > > if the same > > > user login on a client in the AD with the Principal and > > Password from > > > the AD Domain he only gets a tgt for the AD domain. > > > > Yes that would be normal, see below. > > > > > If he tries to use a > > > service in the MIT realm he gets a Error from the AD 2003 Domain > > > Controller "KDC_S_Principal_unknown". > > > > Sounds like the client lib is assuming the service is in the > > user's realm. > > > > The client has to determine the realm of the service. > > > > If the client lib is the Microsoft lib, and the KDC is the > > AD, then "referrals" > > might work as the wrong KDC can refer the client to some other realm. > > But referrals only work within the domain forest, as the AD > > does not know about the MIT realm and the servers registered there. > > (Referrals are not standard yet.) If the client lib is MIT, > > the client will try and use the krb5.conf [domain_realm] > > section or DNS domain name to determine the realm of the service. > > > > Once the client lib realizes the service is in another realm > > from the user, it will use the user's TGT to get the cross > > realm TGT when it will use to get the service ticket. > > > > > The Problem is that the User don't get a cross real ticket from the > > > MIT Realm if he log in a [EMAIL PROTECTED] Domain. > > > > See above, it will only ask for a cross realm TGT if it needs > > to get a service ticket from that realm. > > > > Thanks for the quick response. > Now I have installed the Kerberos for Windows 2.6.4 tools and configured > krb5.ini file with the [domain_realm] stanza like.. > > [domain_realm] > .ad2003test.local = AD2003TEST.LOCAL > ad2003test.local = AD2003TEST.LOCAL > .unix.realm.local = UNIX.REALM.LOCAL > unix.realm.local = UNIX.REALM.LOCAL > > If I login with the AD Domain User Name and Password and try to use a > resource in the MIT Kerberos realm (UNIX.REALM.LOCAL)I get an cross real > tgt from the AD KDC and then service tickets from the MIT KDC. I figured > out that this is because the ssh client (Putty 0.53 with Patch) uses the > MIT sspi plug-in. So the cross realm have to be set up correct. > > I also read about Kerberos Referrals in O#Reilly Kerberos book so I > think there could by two sources of errors > > First the AD KDC don't issue a cross realm TGT if he do not find the > service in his Kerberos database. Question is why not and how he chooses > which service is in which realm. DNS Lookup?
I believe the AD uses the Forest's Global catalog, or some other forest to forest protocol. But not that this is MS only. It is not clear if the AD has a way to refer you to a KDC outside the MS world. > > Second the the ssh-client do not know how to handle the response from > the AD KDC. As I said referrals are not yet part of the standard. Microsoft has implemented their version. The IETF krb-wg is reviewing this. > > Thanks > > Domink -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
