[domain_realm] equivalent in windows

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[domain_realm] equivalent in windows


How does a Windows client know the appropriate kerberos realm for a
service?  (I'm looking for something like the [domain_realm] setting in
krb5.conf which is used with mit-krb5).

It seems that the default behaviour of the windows client is to assume
the kerberos realm will be the windows domain that the client is logged
into.  The windows domain controller seems able to generate a referral
to another windows domain within the same forest of windows domains, or
via a "forest trust" to another otherwise unrelated windows domain.

My problem is that I'm running a kerberos realm on unix (with mit-krb5)
which is linked to the windows domain with a "realm trust".  In this
case the windows domain controller is not generating referrals to my
MIT kerberos realm, so windows clients can't find the right realm for
unix services.

Unix mit-krb5 clients work fine with the appropriate settings for
[domain_realm] in krb5.conf , even when I'm logged in to the windows
domain using kinit.

So does anyone know how to get windows clients to access unix services
via such a "realm trust"?

Thanks for any insight,

Kerberos mailing list           [hidden email]