[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: please help with MS AD -> UNIX trust

To: vadim <vadim.tarassov@swissonline.ch>
Subject: Re: please help with MS AD -> UNIX trust
From: "Douglas E. Engert" <deengert@anl.gov>
Date: Thu, 02 Jun 2005 13:25:55 -0500
Cc: heimdal-discuss@sics.se
In-Reply-To: <1117733011.4045.22.camel@localhost.localdomain>
References: <1117733011.4045.22.camel@localhost.localdomain>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040803



vadim wrote:

> Hallo everybody,
> 
> Could you please point stupid me to the right piece of documentation?
> 
> I've build Kerberos realm, where KDC is MS AD, servers are OpenSSH and
> OpenLDAP on Solaris 8, clients are on Solaris and Cygwin. I have used
> GSSAPI implementation from Heimdal and MIT with equal success -
> everything worked just perfectly!
> 
> Now for some odd reasons I have to build pure UNIX realm and to
> establish one-way trust, where UNIX realm trusts AD, and users once
> logged into the AD realm, should be able also to logged into the UNIX
> realm.

You mean "users once logged into the AD realm, should be able also to
logged into servers in the UNIX realm."
             ^^^^^^^^^^^
> 
> I have tried both Heimdal 0.6.4 and MIT 1.4.1 as UNIX realm, and in both
> cases I have the same result with OpenSSH:
> 
> 1) assuming that AD realm is called A, and UNIX realm is called B,
> client obtains TGT for realm A.
> 2) trying to ssh into realm B client gets ticket 
> krbtgt/B@A
> 3) client gets ticket host/whatsoever@B
> 
> and at this moment GSSAPI fails to establish context between client and
> server SSH.
> 
> Since both Heimdal and MIT behaves exactly in the same manner with
> several versions of OpenSSH (from 3.8.1 to 4.0), and I have no problems
> with AD and Heimdal/MIT if not trying them to trust each other, I am
> absolutely sure that I've missed right documentation ...
> 
> Can you please tell me where I could dig futher? 


Look for auth_to_local in krb5.conf and .k5login file.
These map a principal to a local unix acocunt. By default
uses in the host realm are assumed to map to local acocunts.
But you are now using cross realm.

The host/whatsover@B needs to know that a foreign principal, u@A is
allowed to use the local account u.

> 
> Thanx a lot and best regards, vadim tarassov.
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Follow-Ups:
- Re: please help with MS AD -> UNIX trust
  - From: vadim <vadim.tarassov@swissonline.ch>

References:
- please help with MS AD -> UNIX trust
  - From: vadim <vadim.tarassov@swissonline.ch>

Prev by Date: please help with MS AD -> UNIX trust
Next by Date: Re: please help with MS AD -> UNIX trust
Prev by thread: please help with MS AD -> UNIX trust
Next by thread: Re: please help with MS AD -> UNIX trust
Index(es):
- Date
- Thread