jm130794 <[email protected]> writes: > Hello, > > I can open a session with my MIT user on seven but, when I try to create a > file on his home directory Z: I get a access error. I can see this message > on my kerberos MIT : > > Jun 15 22:20:15 srv1 krb5kdc[1350](info): TGS_REQ (5 etypes {18 17 23 24 > -135}) 192.168.2.5: UNKNOWN_SERVER: authtime 0, [email protected] for cifs/ > [email protected], Server not found in Kerberos database > > I must add a principal for my dc in MIT database ?
No; the client needs some way to know that the server is in your AD realm and not the MIT realm TEST.FR (assuming I've got your realms straight). You can do this in various ways. If your DNS matches your realm structure, e.g. here all hosts with names *.ad.test.fr are in the AD realm (let's call that ADREALM), you can either put a mapping in /etc/krb5.conf: [domain_realm] ad.test.fr = ADREALM .ad.test.fr = ADREALM ... or, you can use the DNS for this: _kerberos.ad.test.fr IN TXT "ADREALM" ... if you turn on kdc_lookup_realm in the [libdefaults] section of krb5.conf. Also, the current release of MIT Kerberos supports referrals, so you could configure the KDC to refer clients to AD when appropriate. In any event, the client needs to know or discover that this server is in the AD realm, so it can obtain a cross-realm TGT from TEST.FR, and present that to a domain controller to get a CIFS service ticket. - Richard Silverman [email protected] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
