Hello,
At our site we have multiple AD realms (LOC1.DOM.COM, LOC2.DOM.COM,
etc.) that all trust each other. There are users setup in each realm
that need to access the Linux systems I maintain. Today, we have a
completely independent realm (with our own principle for each user)
that I want to do away with and just join the AD structure (ie. be
assimilated ;) ).
I have proven that with krb5-1.5.3 I can set my default realm to
LOC1.DOM.COM and effectively login (my account is in LOC1). Users
from other realms cannot. I'm curious what I need to do to make this
work. We have SRV records setup for kdc lookup. I have not yet
created a computer account for the system. In /etc/krb5.conf I have:
[libdefaults]
default_realm = LOC1.DOM.COM
dns_lookup_kdc = true
dns_lookup_realm = false
forwardable = true
[realms]
LOC1.DOM.COM = {
auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL PROTECTED])s/@.*//
auth_to_local = DEFAULT
}
LOC2.DOM.COM = {
auth_to_local = RULE:[1:[EMAIL PROTECTED]([EMAIL PROTECTED])s/@.*//
auth_to_local = DEFAULT
}
This doesn't seem to work. Using 'tcpdump port kerberos' when a user
in LOC2 logs in I only see LOC1 being queried. I'm curious if I'm
doing something wrong or if I simply need to get a computer account
created for the box before trusts work. I was hopeing to not approach
the AD staff until I was more or less certain I knew what needed to be
done.
Thanks,
Chris
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
