"Earl, Kevan C" <[email protected]> wrote in message news:3154febcfb92804da39a2560e171837604cd7...@ukaprdembx02.rd.astrazeneca.net... > Hello Markus, > > Thank you for this advice. I shall try out your suggestion. > > When I run kinit -V [email protected] I get the message: >
Mustn't that be kinit -V [email protected] ? > kinit(v5): Client not found in Kerberos database while getting initial > credentials > > while kinit -V [email protected] prompts for password. > > I understood that there were trusts between the domains, but this looks > like there isn't. The kinit of a user has nothing to do with trust. > > Regards, > Kevan Earl > > > > -------------------------------------------------------------------------- > AstraZeneca UK Limited is a company incorporated in England and Wales with > registered number: 03674842 and a registered office at 15 Stanhope Gate, > London W1K 1LN. > Confidentiality Notice: This message is private and may contain > confidential, proprietary and legally privileged information. If you have > received this message in error, please notify us and remove it from your > system and note that you must not copy, distribute or take any action in > reliance on it. Any unauthorised use or disclosure of the contents of this > message is not permitted and may be unlawful. > Disclaimer: Email messages may be subject to delays, interception, > non-delivery and unauthorised alterations. Therefore, information > expressed in this message is not given or endorsed by AstraZeneca UK > Limited unless otherwise notified by an authorised representative > independent of this message. No contractual relationship is created by > this message by any person unless specifically indicated by agreement in > writing other than email. > Monitoring: AstraZeneca UK Limited may monitor email traffic data and > content for the purposes of the prevention and detection of crime, > ensuring the security of our computer systems and checking Compliance with > our Code of Conduct and Policies. > -----Original Message----- > From: [email protected] [mailto:[email protected]]on > Behalf Of Markus Moeller > Sent: 25 March 2009 00:04 > To: [email protected] > Subject: Re: Kerberos authetication against multiple Windows Domains > > > > "Earl, Kevan C" <[email protected]> wrote in message > news:3154febcfb92804da39a2560e17183760341f...@ukaprdembx02.rd.astrazeneca.net... >> Hello, >> >> I'm after some advice on how to configure Kerberos v5 to authenticate >> users from different Windows domains to the same Apache hosted >> application. Is this possible? If so, is there a simple guide on what >> needs to be done in order to achieve it that can be shared with me? >> >> I have Kerberos v5 installed with a Kerberos-capable version of Apache on >> AIX 5.3. >> I have had a keytab file generated in the Windows "EU" domain, and have >> configured the server so the application authenticates users from the >> "EU" >> domain. >> >> /etc/krb5.conf is similar to: >> >> [libdefaults] >> default_realm = EU.COMPANY.NET >> >> [realms] >> EU.COMPANY.NET = { >> kdc = eudc01.eu.company.net >> admin_server = eudc01.eu.company.net >> default_domain = eu.company.net >> } >> >> [domain_realm] >> .svr_domain.company.net = EU.COMPANY.NET >> svr_domain.company.net = EU.COMPANY.NET >> >> What do I need to do in order to also authenticate users from the >> companies "US" domain, which is controlled by separate domain >> controller(s), to the application? >> > > If the domains have a trust you son't need to do anything. If they don't > have trust then you need to create a second keytab entry for the host in > the > US DC with a sceond DNS name. > > e.g. In the EU domain the server is server.eu.company.net with a key > HTTP/[email protected] in eudc01 and in the US domain > the > sever is server.us.company.net with a key > HTTP/[email protected] in usdc01. > > Merge both keys in one keytab for apache and configure the apache > kerbereos > module to accept all names (I think it is KrbServiceName Any in > mod-auth-kerb) > > >> Any help anyone can give me would be very greatfully received. >> >> Regards, >> Kevan Earl >> > > Regards > Markus >> >> -------------------------------------------------------------------------- >> AstraZeneca UK Limited is a company incorporated in England and Wales >> with >> registered number: 03674842 and a registered office at 15 Stanhope Gate, >> London W1K 1LN. >> Confidentiality Notice: This message is private and may contain >> confidential, proprietary and legally privileged information. If you have >> received this message in error, please notify us and remove it from your >> system and note that you must not copy, distribute or take any action in >> reliance on it. Any unauthorised use or disclosure of the contents of >> this >> message is not permitted and may be unlawful. >> Disclaimer: Email messages may be subject to delays, interception, >> non-delivery and unauthorised alterations. Therefore, information >> expressed in this message is not given or endorsed by AstraZeneca UK >> Limited unless otherwise notified by an authorised representative >> independent of this message. No contractual relationship is created by >> this message by any person unless specifically indicated by agreement in >> writing other than email. >> Monitoring: AstraZeneca UK Limited may monitor email traffic data and >> content for the purposes of the prevention and detection of crime, >> ensuring the security of our computer systems and checking Compliance >> with >> our Code of Conduct and Policies. >> >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
