Russ Allbery wrote:
> > I am just curious. What Windows client programs and Unix server programs
> > (or vice versa) must you use? How do you use this trust?

> We allow all Active Directory users at Stanford to log on either in the AD
> realm or in the university Heimdal realm, and try to set up as many
> services as we can to accept either set of credentials as equivalent.
> This is relatively easy on the AD side.  On the UNIX side, WebAuth (via
> Negotiate-Auth/SPNEGO) is configured to trust AD credentials and treat
> them as equivalent, as is AFS; the rest is somewhat hit or miss.  For
> example, I don't think AD credentials work with GSSAPI authentication to
> Zimbra, mostly because we've not gotten around to figuring out how to tell
> Zimbra to treat the credentials as equivalent.

> We also routinely authenticate automated UNIX clients to AD services and
> vice versa for things like authenticated LDAP queries and the like.

> In general, AD is used as the primary authentication realm for all
> services running on Windows inside the AD forest, and for users who log in
> via AD.  Most systems (such as student systems) are not joined to AD, and
> general campus use all uses the Heimdal realm, with occasional cross-realm
> authentications to Windows web services.  Most principals for automated
> processes, host and service principals, and so forth are issued from the
> Heimdal realm, since we have invested more effort into automated principal
> management, distributed ACLs, and the like on the Heimdal side.

Thank you, that was interesting to read.

> > I am trying to setup a trust so that MSIE users could have a SSO to a
> > site running Apache on FreeBSD but I don't know yet if the game is
> > worth the candle.

> It should be fairly straightforward.

I seem to have hit a problem where I have not expected any:

# apachectl configtest
httpd: Syntax error on line 106 of /usr/local/etc/apache22/httpd.conf:
Cannot load /usr/local/libexec/apache22/ into server:
/usr/local/libexec/apache22/ Undefined symbol

# ldd /usr/local/libexec/apache22/
/usr/local/libexec/apache22/ => /usr/lib/ (0x281b1000) => /usr/lib/ (0x281ba000) => /usr/lib/ (0x28300000) => /usr/lib/ (0x281bf000) => /usr/lib/ (0x281f5000) => /lib/ (0x2835e000) => /usr/lib/ (0x284b9000) => /usr/lib/ (0x2852e000) => /lib/ (0x2853e000) => /lib/ (0x28090000)

# uname -sr
# pkg_info | grep ^ap
ap22-mod_auth_kerb-5.4_2 An Apache module for authenticating users with 
Kerberos v5
apache-2.2.17_1     Version 2.2.x of Apache web server with prefork MPM.
apr-nothr-devrandom-gdbm- Apache Portability Library

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
Kerberos mailing list 

Reply via email to