"Dirk Pape" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > In article <[EMAIL PROTECTED]>, > "Ryan Odgers" <[EMAIL PROTECTED]> wrote: > > > If the KDC is win2000 and the kerberos client is UNIX or MIT, does > > cross-realm authentication still need to be set up? > > It is the same kerberos realm, the unix machine points to the 2000 KDC as > > its server. > > we have done this successfully here: > > having Unix hosts sshd and apache authenticate users from Windows 2003 > AD via kerberos. > We use Win 2003 Server (but it also worked with windows 2000 Server AD), > I remember SFU was necessary to make it work. > > I do not see, what we did differnent from what you did, but there were > two things we had to struggle with: > > 1. you have to set up one user account (not computer account) for every > service you want to be kerberized (this reads: there is a one-to-one-map > between service principals and service accounts.
I have AD users corresponding to the services eg. telnet and ftp and have used ktpass to generate the following principals. telnet/[EMAIL PROTECTED] ftp/[EMAIL PROTECTED] I just get lost in how to get a ticket from windows to use that service. if i am on the unix machine and do a kinit with the service as above, I can authenticate and if I do a klist the ticket is listed. How do I make a kerberos aware client on windows to authenticate using these credentials? > > 2. you have to be sure that you have the correct name of the principal > (as used by the service) and that the keytab is found and readable by > the service. > > Regards, > Dirk. > > -- > Dr. Dirk Pape (Leiter des Rechnerbetriebs) > FB Mathematik und Informatik der FU-Berlin > Takustr. 9, 14195 Berlin > Tel. +49 (30) 838 75143, Fax. +49 (30) 838 75190 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
