G'day. I'm trying to get Apache on Linux 2.6.11-1.1369_FC4smp authenticating against Windows Server 2003 based Active Directory infrastructure with trust relationships, and can't quite get it to work. I've spent a few hours searching the 'net, but so far to no great avail.
I have two AD domains in separate forests: let's call them lab.au and users.com. I'm in complete control of lab.au, but not users.com. lab.au trusts users.com so that our users can log into my lab infrastructure with their own credentials, and I'd like to extend that ease of use to my Apache based lab control system. In krb5.conf I've set entries in [realms] keyed by the lowercase version of the domain, each with kdc= and admin_server= the (resolvable) name of the primary KDC. I've also added [domain_realm] entries for both. Without a machine account, kinit -V [EMAIL PROTECTED] works on lab.au whether [libdefaults] default_realm = LAB.AU or USERS.COM. Watching the network, I see it resolve _kerberos._udp.LAB.AU and _kerberos._tcp.LAB.AU, then resolve the server nominated as the kdc in krb5.conf and, finally, talk to it. kinit -V [EMAIL PROTECTED], however, fails with: "kinit(v5): Cannot resolve network address for KDC in requested realm while getting initial credentials". The server looks up the SRV records for _kerberos._udp.USERS.COM and _kerberos._tcp.USERS.COM, both of which return ~30 records in nslookup, but doesn't then look up the kdc let alone talk to it. I'd like to be able to authenticate [EMAIL PROTECTED] either directly or via LAB.AU thanks to the trust relationship. Any ideas? Regards, Garth. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
