On Wed, Nov 16, 2005 at 05:12:12PM +1100, Garth T Kidd wrote: > I have two AD domains in separate forests: let's call them lab.au and > users.com. I'm in complete control of lab.au, but not users.com. > lab.au trusts users.com so that our users can log into my lab > infrastructure with their own credentials, and I'd like to extend that > ease of use to my Apache based lab control system.
then you should be able to use ktpass.exe to create a HTTP/[EMAIL PROTECTED] principal for Apache, copy the keytab over to your server, and go from there. using mod_auth_kerb, you'll just need to make sure that the entries in your AuthGroupFile are in the form of [EMAIL PROTECTED] > In krb5.conf I've set entries in [realms] keyed by the lowercase > version of the domain, each with kdc= and admin_server= the > (resolvable) name of the primary KDC. I've also added [domain_realm] > entries for both. even though it doesn't seem like it, the Windows AD's canonical realm name is ALL.UPPERCASE, i think. this matters for, inter alia, salting string-to-key mechanisms (e.g., kinit with password, when using non- arcfour etype preauthentication), i think, so i'd make all realm names uppercase > Without a machine account, kinit -V [EMAIL PROTECTED] works on lab.au > whether [libdefaults] default_realm = LAB.AU or USERS.COM. Watching > the network, I see it resolve _kerberos._udp.LAB.AU and > _kerberos._tcp.LAB.AU, then resolve the server nominated as the kdc in > krb5.conf and, finally, talk to it. > > kinit -V [EMAIL PROTECTED], however, fails with: "kinit(v5): Cannot > resolve network address for KDC in requested realm while getting > initial credentials". The server looks up the SRV records for > _kerberos._udp.USERS.COM and _kerberos._tcp.USERS.COM, both of which > return ~30 records in nslookup, but doesn't then look up the kdc let > alone talk to it. OK. looks like you're using all-uppercase here even though your krb5.conf is set up lowercase. again, if you just promote every- thing case-wise in krb5.conf, then your configured servers should be used and your problem go away, no? as for the DNS-SRV location stuff, what does the DNS server's reply to kinit look like? is nslookup perhaps getting a truncated reply flag and then retrying with TCP? the kerberos library may not be be able to handle that circumstance as nimbly as nslookup, so if you have a domain with tons of domain controllers, then you'd probably better go with hardwired krb5.conf servers--unless one of the newer, improved krb5 releases can handle huge SRV answers --buck > I'd like to be able to authenticate [EMAIL PROTECTED] either directly > or via LAB.AU thanks to the trust relationship. Any ideas? > > Regards, > Garth. > > ------------------------------ > > _______________________________________________ > Kerberos mailing list > [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > > End of Kerberos Digest, Vol 35, Issue 19 > **************************************** ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
