On Fri, May 04, 2007 at 01:25:22PM -0400, Jeffrey Altman wrote: > David Bear wrote: > > I have been wondering about necessary inclusions in a krb5.conf file > > for use on a windows box that is ALSO joined and authenticating to AD. > > > > We have to kerb realms; an original MIT kerb5 realm, and a separate > > realm for AD. Our MIT realm is used to authentication users of afs. > > Our AD realm is used for ... things microsoft. > > > > Will KfW automagically handle obtaining tickets from the AD realm > > without having anything entries in the krb5.conf file? > > > > I have entries for both realms currently and I consistently get an > > error from the NetId Manager that it failed to get tickets for our AD > > realm. However, when I look in the NetId Manager I do indeed see > > various tickes from our AD realm. I'm thinking that perhaps the > > additional entries in the krb5.con file are superflous. > > > > We do get tickets and afs tokens properly from our MIT realm which > > makes afs happy. > Does your NIM identity for the Windows principal have a configuration > stating it should obtain AFS tokens? I bet that is what is failing.
I don't know what a NIM identity is or how to check for it. Any pointers? I do know there is a cross realm trust from our AD domain to our MIT realm. (please note when I speak of MIT realm, its NOT MIT -- its just a true MIT based kerb realm) > > KFW will use DNS SRV lookups to obtain the data for the Windows Active > Directory realm if you don't include them in the krb5.ini file. I have verified that we use dsn records for our afs servers. > > Jeffrey Altman > Secure Endpoints Inc. -- David Bear phone: 602-496-0424 fax: 602-496-0955 College of Public Programs/ASU University Center Rm 622 411 N Central Phoenix, AZ 85007-0685 "Beware the IP portfolio, everyone will be suspect of trespassing" ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
