-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christopher D. Clausen wrote: > Lars Schimmer <[EMAIL PROTECTED]> wrote: >> Christopher D. Clausen wrote: >>> Lars Schimmer <[EMAIL PROTECTED]> wrote: >>>> Thanks for the link. >>>> Maybe I don4t get it right on my thoughts. >>>> Setup here: >>>> AD with 1 server and x clients >>>> krb5 server on debian on extra machine >>> So you have an Active Directory domain that the Windows machines are >>> on? >> Yes, there is a AD domain in which the PCs are. >> >>> And a seperate Kerberos Realm for the Linux machines? >> The REALM is the same as the AD domain (both are CGV.TUGRAZ.AT ir in >> lower case cgv.tugraz.at) > > Okay, this sounds bad. You'll likely need to rename either the domain > or the realm. (I believe there is a Windows tool to rename a domain.)
OK, we are just 20 people here using our REALM and no entry in DNS server, I think it is easier to rename the REALM instead of the AD domain. We got a /25 subnet and a DNS entry cgv.tugraz.at (yes, academic). Within this I wanted to setup OpenAFS (I think it should name after the dns entry cgv.tugraz.at), krb5 auth (I thought CGV.TUGRAZ.AT is best and the only usable one), linux clients (no probs so far) and a AD domain with a own AD domain server. And I think for DNS/network/... purpose it is far easier to name the AD domain after the DNS entry cgv.tugraz.at, e.g. names of clients, IPs via dhcp,...). I thought the only possible useable REALM was CGV.TUGRAZ.AT and I set it up that way and was happy as it worked for the most needed parts (login into AD domain [with own AD password], getting ticket from krb5 server for CGV.TUGRAZ.AT REALM and getting token automatic). > Maybe someone else has an idea for you? I don't think you can even > setup a realm trust if the realm names are the same b/c the cross-realm > TGT (krbtgt) would overwrite the current realms TGT. > >>> Do you have a realm trust between these? B/c its not likely to work >>> if you don't. >> There is no realm trust between both (which are the same). >> I use cgv.tugraz.at as a AD domain for login and CGV.TUGRAZ.AT for >> obtaining tickets/tokens. > > You cannot have this work just b/c the realms are the same. There needs > to be a trust setup between the realms, or you need to have ALL your > non-Windows machines also use the Windows domain as a KDC instead of the > MIT one. Some time ago it was easier to setup the MIT krb5 server instead of using AD krb5 auth together with OpenAFS. And I thought using MIT krb5 software on Windows with a active ticket for the correct REALM is the needed part for loging in with putty via ticket forwarding. > And please reply to the list and not to me directly. Sorry, it went wrong here. Damned icedove. > <<CDC > > MfG, Lars Schimmer - -- - ------------------------------------------------------------- TU Graz, Institut für ComputerGraphik & WissensVisualisierung Tel: +43 316 873-5405 E-Mail: [EMAIL PROTECTED] Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) iD8DBQFFwfoXmWhuE0qbFyMRAm8/AJ9pvmd8hS6M6xovpJEe39BSACcw9ACgkhu3 01yNq4Wx3ILKuC7u2gIAS7E= =UNBZ -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
