Re: domain realm mapping

Douglas E. Engert Mon, 04 Apr 2005 07:22:03 -0700

Preetam Ramakrishna wrote:

Hi,

        Douglas, Thanks for  the information. I forgot to mention that
I was using a windows client, i.e., I am trying to map to a w2k server (
part of a win2k domain ). Is it possible to specify the w2k domain name
in this case.


The W2K domain controlers act as the KDCs. The Kerberos realm name is
the uppercaes domain name. So if I understand your qestion, the answer is yes.
Windows refers to UPN and SPN which are principal names. Windows
will treat these as case insensitive, but other Kerberos implementaitons
treat these as case sensitve, so use uppercase for realm names,
and avoid uppercase user names.

You say you are using a windows client. If you have access to the source,
does it call the InitializeSecurityContext, and does it let your
pass in the server_principal_name?

Thanks,
Preetam

"Douglas E. Engert" <[EMAIL PROTECTED]> 4/1/2005 6:15 PM >>>


Preetam Ramakrishna wrote:

Hi,
On unix machines, the kerberized client (eg: telnet) look

for

"domain realm mappings" in the /etc/krb5.conf file. So, when I run
"telnet server-1.acme.com", the client would appropriately request

the

KDC a service ticket for host/[EMAIL PROTECTED]

       Is there anything equivalent to this on a win2k workstation
which is configured to be a part of the non-windows kerberos realm.

The krb5.ini on Windows is the same as a unix krb5.conf, and the KfW
Kerberos libs will use the domain realm mappings.

If you are using the windows kerberos libs, via SSPI, the
server_principal_name parameter of the InitializeSecurityContext
routine can take the form: <service>@<host>@<realm>
so the application can provide all three.

Windows also implements referrals, were the client asks the KDC
for a ticket. The KDC can then return a referral to the client to
try a different realm.  But this requires (1) KDC has a data base
of host realm mappings, (2)KDC has referral code, and (3) client
understands what to do with a referral. Windows code has all three.
AD can find hosts in its forest. AFAIK, referrals are not yet
implemented
in non windows Kerberos. The IETF krb-wg and Kitten WG are addressing
these issues.

SecureCRT, and PuTTY can use either MIT KfW or SSPI and can allow the
user
to provide the realm when using the SSPI.

Thanks, Preetam ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos

--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: domain realm mapping

Reply via email to