[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: please help with MS AD -> UNIX trust

vadim wrote:

> Hallo everybody,
> Could you please point stupid me to the right piece of documentation?
> I've build Kerberos realm, where KDC is MS AD, servers are OpenSSH and
> OpenLDAP on Solaris 8, clients are on Solaris and Cygwin. I have used
> GSSAPI implementation from Heimdal and MIT with equal success -
> everything worked just perfectly!
> Now for some odd reasons I have to build pure UNIX realm and to
> establish one-way trust, where UNIX realm trusts AD, and users once
> logged into the AD realm, should be able also to logged into the UNIX
> realm.

You mean "users once logged into the AD realm, should be able also to
logged into servers in the UNIX realm."
> I have tried both Heimdal 0.6.4 and MIT 1.4.1 as UNIX realm, and in both
> cases I have the same result with OpenSSH:
> 1) assuming that AD realm is called A, and UNIX realm is called B,
> client obtains TGT for realm A.
> 2) trying to ssh into realm B client gets ticket 
> krbtgt/B@A
> 3) client gets ticket host/whatsoever@B
> and at this moment GSSAPI fails to establish context between client and
> server SSH.
> Since both Heimdal and MIT behaves exactly in the same manner with
> several versions of OpenSSH (from 3.8.1 to 4.0), and I have no problems
> with AD and Heimdal/MIT if not trying them to trust each other, I am
> absolutely sure that I've missed right documentation ...
> Can you please tell me where I could dig futher? 

Look for auth_to_local in krb5.conf and .k5login file.
These map a principal to a local unix acocunt. By default
uses in the host realm are assumed to map to local acocunts.
But you are now using cross realm.

The host/whatsover@B needs to know that a foreign principal, u@A is
allowed to use the local account u.

> Thanx a lot and best regards, vadim tarassov.


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444