On 11/5/2012 2:49 PM, Dyer, Rodney wrote: > Hi, > > I need some advice. I need to verify that an MIT/Windows trust option we've > wanted to work, in fact cannot work. Can someone here maybe provide some > insightful comments on our setup? >
Have you looked at cross-forest trust between MOSAIC.UNCC.EDU and MOSAIC64.UNCC.EDU? I don't know if that would work. Since your Kerberos realm is UNCC.EDU, you can't have both in the same forest, as the top of the forest would have to be UNCC.EDU. > Given: > > > 1. We have an existing Microsoft Win2k3 AD domain (MOSAIC.UNCC.EDU) in a > cross-realm trust with an MIT KDC realm (UNCC.EDU). > > > > 2. Our XP clients are members of the Win2k3 domain. > > > > 3. Our XP users logon to the XP clients using their MIT realm credentials. > > > > 4. Once logged on to XP, our users access a CIFS share, hosted off of one > of the Win2k3 domain servers. The access works without a password because > the CIFS service ticket is served from the Win2k3 domain. The MIT user's > "tgt" is "trusted". > > > This 'old' setup has worked fine for years. > > > Now for the 'new' setup... > > > 1. We have setup a new Win2k8R2 domain "MOSAIC64.UNCC.EDU". > > > > 2. The Win2k8R2 domain is also in a cross-realm trust with the MIT realm > "UNCC.EDU". > > > > 3. Our new Win7 clients are members of the Win2k8R2 domain. > > > > 4. Once logged on to Win 7, our user can access a CIFS share, hosted off > of one of the Win2k8R2 domain servers. The access works without a password > because the CIFS service ticket is served from the Win2k8R2 domain. The MIT > user's "tgt" is "trusted". > > > This 'new' setup works just fine. > > > |----------------------| > | MIT REALM: UNCC.EDU | > |----------------------| > ^ ^ > | | > | | > | | AD1 trust |------| domain membership |-----------| > | --------------->| AD1 |<------------------| XP Client > |<---[ [email protected] ] > | |------| |-----------| > | ^ ---------/ > | | / > | |-------------------|/ > | | AD CIFS VOL SHARE | > | |-------------------| > | > | > | > | > | AD2 trust |------| domain membership |-------------| > ------------------------->| AD2 |<------------------| Win7 Client > |<---[ [email protected] ] > |------| |-------------| > ^ ---------/ > | / > |-------------------|/ > | AD CIFS VOL SHARE | > |-------------------| > > > > > Now for our 'problem'... > > > > 1. What we really need is for our XP and Win7 users to share the "same > CIFS volume", either hosted off of the old Win2k3 CIFS share, or the new > Win2k8R2 CIFS share. We want this... > > > |----------------------| > | MIT REALM: UNCC.EDU | > |----------------------| > ^ ^ > | | > | | > | | AD1 trust |------| domain membership |-----------| > | --------------->| AD1 |<------------------| XP Client > |<---[ [email protected] ] > | |------| |-----------| > | ^ ---------/ > | | / > | |-------------------|/ > | | AD CIFS VOL SHARE | > | |-------------------|\ > | \ > | \------\ > | \ > | \ > | AD2 trust |------| domain membership |-------------| > ------------------------->| AD2 |<------------------| Win7 Client > |<----[ [email protected] ] > |------| |-------------| > > > > > 2. We are finding no way to configure trusts, or setup 'forest' trusts to > allow sharing of a single CIFS share from both AD domains. > > > Does anyone know what, if any options we may have here? > > It would seem that since our XP/Win7 clients can only be members of one > domain, or the other, then we have no capability to provide authentication > through to a non-member domain, even if it is also in the same cross-realm > trust with the MIT KDC. > > Essentially, "user@AD1_DOMAIN" (while logged on a client that is a > "AD1_DOMAIN" member), can't be mapped to "user@AD2_DOMAIN", even if both > domains are trusting "MIT.REALM", and the user has a "[email protected]" TGT. > > Is this reasoning correct? > > Rodney > > Rodney M. Dyer > Operations and Systems (Specialist) > Mosaic Computing Group > William States Lee College of Engineering > University of North Carolina at Charlotte > Email: [email protected] > Web: http://www.coe.uncc.edu/~rmdyer > Phone: (704)687-3518 > Help Desk Line: (704)687-3150 > FAX: (704)687-2352 > Office: Cameron Hall, Room 232 > > > > > > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
