multi domain - Kerberos

This is a discussion on multi domain - Kerberos ; Hi all, I have some problem in setting up krb5.conf for client authentication. I'm working on a multi domain scenario with several domain like A.COMPANY.COM, B.COMPANY.COM, ... and one kdc server (Active Directory) that belongs to A.COMPANY.COM domain. So I ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: multi domain

  1. multi domain

    Hi all,
    I have some problem in setting up krb5.conf for client authentication.
    I'm working on a multi domain scenario with several domain like
    A.COMPANY.COM, B.COMPANY.COM, ... and one kdc server (Active Directory)
    that belongs to A.COMPANY.COM domain.
    So I setup a krb5.conf as follows

    [libdefaults]
    default_realm = A.COMPANY.COM

    [realms]
    A.COMPANY.COM = {
    kdc = kdcserver:88
    }

    [domain_realm]
    .a.company.com = A.COMPANY.COM
    .b.company.com = A.COMPANY.COM
    a.company.com = A.COMPANY.COM

    Principals that belongs to A.COMPANY.COM are authenticated (kinit
    works), others not.
    For those who are not authenticated kinit returns "Client not found in
    Kerberos database" error message but user exist in AD.
    Any suggestions or how I can get more information would be appreciated.

    Thanks,
    Alex


  2. Re: multi domain

    If you only have one realm then you will only have principals in that
    one realm. What the domain_realm section is telling the client is
    that each of your domains belongs to the same realm. Principals belong
    to the realm and not the domain.

    user@A.COMPANY.COM
    host/machine.a.company.com@A.COMPANY.COM
    host/machine.b.company.com@A.COMPANY.COM

    Jeffrey Altman


    Alex wrote:
    > Hi all,
    > I have some problem in setting up krb5.conf for client authentication.
    > I'm working on a multi domain scenario with several domain like
    > A.COMPANY.COM, B.COMPANY.COM, ... and one kdc server (Active Directory)
    > that belongs to A.COMPANY.COM domain.
    > So I setup a krb5.conf as follows
    >
    > [libdefaults]
    > default_realm = A.COMPANY.COM
    >
    > [realms]
    > A.COMPANY.COM = {
    > kdc = kdcserver:88
    > }
    >
    > [domain_realm]
    > .a.company.com = A.COMPANY.COM
    > .b.company.com = A.COMPANY.COM
    > a.company.com = A.COMPANY.COM
    >
    > Principals that belongs to A.COMPANY.COM are authenticated (kinit
    > works), others not.
    > For those who are not authenticated kinit returns "Client not found in
    > Kerberos database" error message but user exist in AD.
    > Any suggestions or how I can get more information would be appreciated.
    >
    > Thanks,
    > Alex
    >


+ Reply to Thread