Thanks. I should have mentioned that I have also asked Microsoft about the various bits of netdom that seem as if they might work, e.g. netdom /addtln. But I will do some more research of my own.
Another complication is that we have hosts in both Windows and MIT realms scattered thoughout the same DNS domains, so a simple domain-realm mapping will not work. We use DNS realm RR's (_kerberos.hostname) to effect this, and Windows has to somehow get the same info. - Richard > Before you do this, you may want to look at "Trusted Domain Ojests" > and "Globus Catalog" There may be a way to use the "netdom" command to: > > "Establish one-way or two-way trust relationships between domains, > including the following kinds of trust relationships: > ... > The Windows Server 2003 or Windows 2000 Server half of an > interoperable Kerberos realm." > > Google for netdom, trusted domain object or TDO, referral and cross realm > or Google for "Domain and Forest Trust Tools and Settings" > > ( I have not tried this. But it looks like the netdom command could > setup the TDO that is missing.) > > > Richard E. Silverman wrote: > >> I'm considering the use of a Kerberos proxy, to solve the problem of being >> unable to do cross realm authentication though a Windows realm to an MIT >> one, due to Windows not issuing referrals for external realms. The proxy >> would issue referrals where needed instead of having the Windows KDC say >> "no such principal," and send/return all other requests to Windows for the >> client. Obviously, the proxy will need the TGS keys for the Windows >> realm. This is a last resort; I'm going mad badgering Microsoft for some >> sort of solution to this. My outstanding request to them is whether they >> can issue default referrals. I'm not expecting a positive answer. >> >> I'm wondering whether anyone else has considered this, or (hoping against >> hope), already implemented it? >> >> I've considered using the KfW GSSAPI library with clients that support it >> (Firefox, SecureCRT, etc.), but this is probably not a workable option for >> us. >> >> All comments welcome and appreciated, >> > > -- Richard Silverman [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
