Hi,
I need some advice. I need to verify that an MIT/Windows trust option we've
wanted to work, in fact cannot work. Can someone here maybe provide some
insightful comments on our setup?
Given:
1. We have an existing Microsoft Win2k3 AD domain (MOSAIC.UNCC.EDU) in a
cross-realm trust with an MIT KDC realm (UNCC.EDU).
2. Our XP clients are members of the Win2k3 domain.
3. Our XP users logon to the XP clients using their MIT realm credentials.
4. Once logged on to XP, our users access a CIFS share, hosted off of one
of the Win2k3 domain servers. The access works without a password because the
CIFS service ticket is served from the Win2k3 domain. The MIT user's "tgt" is
"trusted".
This 'old' setup has worked fine for years.
Now for the 'new' setup...
1. We have setup a new Win2k8R2 domain "MOSAIC64.UNCC.EDU".
2. The Win2k8R2 domain is also in a cross-realm trust with the MIT realm
"UNCC.EDU".
3. Our new Win7 clients are members of the Win2k8R2 domain.
4. Once logged on to Win 7, our user can access a CIFS share, hosted off of
one of the Win2k8R2 domain servers. The access works without a password
because the CIFS service ticket is served from the Win2k8R2 domain. The MIT
user's "tgt" is "trusted".
This 'new' setup works just fine.
|----------------------|
| MIT REALM: UNCC.EDU |
|----------------------|
^ ^
| |
| |
| | AD1 trust |------| domain membership |-----------|
| --------------->| AD1 |<------------------| XP Client |<---[
[email protected] ]
| |------| |-----------|
| ^ ---------/
| | /
| |-------------------|/
| | AD CIFS VOL SHARE |
| |-------------------|
|
|
|
|
| AD2 trust |------| domain membership |-------------|
------------------------->| AD2 |<------------------| Win7 Client |<---[
[email protected] ]
|------| |-------------|
^ ---------/
| /
|-------------------|/
| AD CIFS VOL SHARE |
|-------------------|
Now for our 'problem'...
1. What we really need is for our XP and Win7 users to share the "same CIFS
volume", either hosted off of the old Win2k3 CIFS share, or the new Win2k8R2
CIFS share. We want this...
|----------------------|
| MIT REALM: UNCC.EDU |
|----------------------|
^ ^
| |
| |
| | AD1 trust |------| domain membership |-----------|
| --------------->| AD1 |<------------------| XP Client |<---[
[email protected] ]
| |------| |-----------|
| ^ ---------/
| | /
| |-------------------|/
| | AD CIFS VOL SHARE |
| |-------------------|\
| \
| \------\
| \
| \
| AD2 trust |------| domain membership |-------------|
------------------------->| AD2 |<------------------| Win7 Client
|<----[ [email protected] ]
|------| |-------------|
2. We are finding no way to configure trusts, or setup 'forest' trusts to
allow sharing of a single CIFS share from both AD domains.
Does anyone know what, if any options we may have here?
It would seem that since our XP/Win7 clients can only be members of one domain,
or the other, then we have no capability to provide authentication through to a
non-member domain, even if it is also in the same cross-realm trust with the
MIT KDC.
Essentially, "user@AD1_DOMAIN" (while logged on a client that is a "AD1_DOMAIN"
member), can't be mapped to "user@AD2_DOMAIN", even if both domains are
trusting "MIT.REALM", and the user has a "[email protected]" TGT.
Is this reasoning correct?
Rodney
Rodney M. Dyer
Operations and Systems (Specialist)
Mosaic Computing Group
William States Lee College of Engineering
University of North Carolina at Charlotte
Email: [email protected]
Web: http://www.coe.uncc.edu/~rmdyer
Phone: (704)687-3518
Help Desk Line: (704)687-3150
FAX: (704)687-2352
Office: Cameron Hall, Room 232
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
