Victor Sudakov <v...@mpeks.no-spam-here.tomsk.su> writes: > I am just curious. What Windows client programs and Unix server programs > (or vice versa) must you use? How do you use this trust?
We allow all Active Directory users at Stanford to log on either in the AD realm or in the university Heimdal realm, and try to set up as many services as we can to accept either set of credentials as equivalent. This is relatively easy on the AD side. On the UNIX side, WebAuth (via Negotiate-Auth/SPNEGO) is configured to trust AD credentials and treat them as equivalent, as is AFS; the rest is somewhat hit or miss. For example, I don't think AD credentials work with GSSAPI authentication to Zimbra, mostly because we've not gotten around to figuring out how to tell Zimbra to treat the credentials as equivalent. We also routinely authenticate automated UNIX clients to AD services and vice versa for things like authenticated LDAP queries and the like. In general, AD is used as the primary authentication realm for all services running on Windows inside the AD forest, and for users who log in via AD. Most systems (such as student systems) are not joined to AD, and general campus use all uses the Heimdal realm, with occasional cross-realm authentications to Windows web services. Most principals for automated processes, host and service principals, and so forth are issued from the Heimdal realm, since we have invested more effort into automated principal management, distributed ACLs, and the like on the Heimdal side. > I am trying to setup a trust so that MSIE users could have a SSO to a > site running Apache on FreeBSD but I don't know yet if the game is > worth the candle. It should be fairly straightforward. > But it still escapes me how on earth I will end up with > krbtgt/unix.re...@windows.realm and krbtgt/windows.re...@unix.realm > having the same key. There is nothing in the above articles about > exporting and importing keytabs. You use a password. Enter the same password on both sides when creating the key, and then be sure to remove any extraneous enctypes on the Heimdal side that AD isn't configured to provide. I usually use a random password generator like apg with a fairly long password length and large character set. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
