[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...

To: pragai@rubin.hu, heimdal-discuss@sics.se
Subject: Cross Realm Auth: how to resolve the issue of finding the 'Correct' realm of service for ms w2k client...
From: Lara Adianto <m1r4cle_26@yahoo.com>
Date: Wed, 7 Apr 2004 20:13:51 -0700 (PDT)
Sender: owner-heimdal-discuss@sics.se

Hi,

To obtain a cross realm ticket for service located in
another domain, a MS w2k client sends a request for
ticket in the service's short name to its KDC (a
Kerberos Realm). So, a request for service
host/service-name.foo.org will be sent as
host/service-name. Hence the KDC must look for the
correct realm of service-name. (Until this point,
please correct me if my understanding is wrong)....
 
How does Heimdal handle this issue of finding the
correct realm ? I understand that the issue can be
resolved by adding entries in DNS or [domain_realms]
section of krb5.conf. Well, I tried both method, and
it works...but I need to create entry for every single
server, for example:
server A is mapped to realm FOO.ORG
server B is mapped to realm BAR.ORG
etc etc....
This will be tedious !!! 
Moreover, for using DNS, I had to modify the source
code a little bit (as explained in my previous
discussion with Johan Danielsson)

I imagine that it would be better if mapping is done
from a domain name of the server to the realm instead
of from every single server in the domain to the
realm.

Pragai Robert has once mentioned in one of his email
that he has managed to make cross-realm authentication
works.
>I've managed to authenticate via a Win2K client to a
>Heimdal realm and 
>then to a Win2K server, but I think the client asked
>for a cross-realm  TGT first from the
>HEimdal KDC and then asked the Win2K KDC to give the
>right service ticket to her.

>Robert

Do you mind sharing your experience with me Robert ?
or somebody else maybe ?

-lara-

=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/

Prev by Date: Re: DNS lookup for resolving domain to realm mapping works...but only after I modified the source code ?
Next by Date: kadmin: kadm5_create_principa: ldap_add_s: Can't contact LDAP server
Prev by thread: Re: using ldap as heimdal backend
Next by thread: kadmin: kadm5_create_principa: ldap_add_s: Can't contact LDAP server
Index(es):
- Date
- Thread