|
Posted by Roger Abell on August 4, 2005, 11:24 pm
Please log in for more thread options
It sounds as though you have not established SPNs (service principal
names) for the services. These are used in Windows as a means of
providing the full Kerberos hierarchical names.
The few sections starting at the following explain this
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/96725ab2-02a8-4c7e-8e0e-d298ec304e3b.mspx
However, there is more to it. Operation with the foreign service is
only possible if it has the correct authentication API support, and
full articulation can mean the service needs to actually be running as
a Windows principal.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx
is old but covers some of this in the Support for Kerb services section.
--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
> Hi,
>
> I have a unix kerberos realm "UNIX" which trusts a windows 2003 domain
> "WIN". In the windows domain configuration, the trust was set up as an
> incoming one-way non-transitive realm trust.
>
> Cross-realm authentication works fine using a unix client: I can log
> into the WIN domain with the unix client, and then I can access
> services in the UNIX realm.
>
> Windows clients can't access unix services though, because they assume
> that the service belongs to the WIN domain. How do I tell windows
> clients that a service belongs to the UNIX realm? In unix I set up a
> mapping from dns hostname to kerberos realm in the krb5.conf
> configuration file. Is there something similar to this in windows? Or
> is there some way to set up the WIN domain controller to know when to
> send referrals to the UNIX kerberos domain controller?
>
> Thanks,
> Luke.
>
| 
XML Sitemap