[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: please help with MS AD -> UNIX trust
> Hallo everybody,
> Could you please point stupid me to the right piece of documentation?
> I've build Kerberos realm, where KDC is MS AD, servers are OpenSSH and
> OpenLDAP on Solaris 8, clients are on Solaris and Cygwin. I have used
> GSSAPI implementation from Heimdal and MIT with equal success -
> everything worked just perfectly!
> Now for some odd reasons I have to build pure UNIX realm and to
> establish one-way trust, where UNIX realm trusts AD, and users once
> logged into the AD realm, should be able also to logged into the UNIX
You mean "users once logged into the AD realm, should be able also to
logged into servers in the UNIX realm."
> I have tried both Heimdal 0.6.4 and MIT 1.4.1 as UNIX realm, and in both
> cases I have the same result with OpenSSH:
> 1) assuming that AD realm is called A, and UNIX realm is called B,
> client obtains TGT for realm A.
> 2) trying to ssh into realm B client gets ticket
> 3) client gets ticket host/whatsoever@B
> and at this moment GSSAPI fails to establish context between client and
> server SSH.
> Since both Heimdal and MIT behaves exactly in the same manner with
> several versions of OpenSSH (from 3.8.1 to 4.0), and I have no problems
> with AD and Heimdal/MIT if not trying them to trust each other, I am
> absolutely sure that I've missed right documentation ...
> Can you please tell me where I could dig futher?
Look for auth_to_local in krb5.conf and .k5login file.
These map a principal to a local unix acocunt. By default
uses in the host realm are assumed to map to local acocunts.
But you are now using cross realm.
The host/whatsover@B needs to know that a foreign principal, u@A is
allowed to use the local account u.
> Thanx a lot and best regards, vadim tarassov.
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439