James Chavez wrote: > Hello list, > > I have a question that I need assistance with. > > I have a Windows 2003 AD setup. > The forest consists of 3 domains. > So the we will say the name is > example.com and there are 3 domains. > > america.example.com > asia.example.com > europe.example.com > > Is it possible to configure the krb5.conf on a station so that kerberos > can service login requests for each of the 3 domains?
Maybe, but it is not clear what you mean. > Is this as simple as adding an entry for each realm in the realms > section of the krb5.conf file. That is part of it, although DNS could be used to find the realms. You say logins, so I as assuming that the station is Unix based. Login would use PAM with a pam_krb5, and the station above will need to have a principal in one of the realms and a keytab to match. But if a user is in one AD doamin and the server is in a different AD domain, this would be cross realm and the pam_krb5 would have to so some additional checks. Kerberos only does authentication you still need to authorize the user to login. Start here, as this gives the basic concepts: http://technet.microsoft.com/en-us/library/bb742433.aspx > > > Thank you > James > > CONFIDENTIALITY > This e-mail message and any attachments thereto, is intended only for use by > the addressee(s) named herein and may contain legally privileged and/or > confidential information. If you are not the intended recipient of this > e-mail message, you are hereby notified that any dissemination, distribution > or copying of this e-mail message, and any attachments thereto, is strictly > prohibited. If you have received this e-mail message in error, please > immediately notify the sender and permanently delete the original and any > copies of this email and any prints thereof. > ABSENT AN EXPRESS STATEMENT TO THE CONTRARY HEREINABOVE, THIS E-MAIL IS NOT > INTENDED AS A SUBSTITUTE FOR A WRITING. Notwithstanding the Uniform > Electronic Transactions Act or the applicability of any other law of similar > substance and effect, absent an express statement to the contrary > hereinabove, this e-mail message its contents, and any attachments hereto are > not intended to represent an offer or acceptance to enter into a contract and > are not otherwise intended to bind the sender, Sanmina-SCI Corporation (or > any of its subsidiaries), or any other person or entity. > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
