Russ Allbery wrote: > > 2. Are there any success stories of servers in a Heimdal realm > > authenticating users from a trusted Microsoft AD based realm?
> Yes, we do this. I am just curious. What Windows client programs and Unix server programs (or vice versa) must you use? How do you use this trust? I am trying to setup a trust so that MSIE users could have a SSO to a site running Apache on FreeBSD but I don't know yet if the game is worth the candle. > > Is there a documentation how to setup such one way trust? > We have a bidirectional trust, but I think the setup is substantially the > same. It's just like a regular bidirectional trust, except you would then > delete the krbtgt principal for the Active Directory realm from the > Heimdal realm. > There's a section in the Heimdal manual on setting up cross-realm trust. > On the Active Directory side, I've not done it personally, but: > http://technet.microsoft.com/en-us/library/cc738617%28WS.10%29.aspx This documentation seems incomplete because it does not mention some issues with a non-Windows realm. I have another link: http://technet.microsoft.com/en-us/library/bb742433.aspx But it still escapes me how on earth I will end up with krbtgt/unix.re...@windows.realm and krbtgt/windows.re...@unix.realm having the same key. There is nothing in the above articles about exporting and importing keytabs. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/4...@fidonet http://vas.tomsk.ru/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
