Hi, I am trying to set up a cross realm auth. between a MS domain (2008) and MIT Kerberos (Red Hat 5.4)
In the MIT Realm we do have only servers. Kerberos is configured and working fine. The Realm name is PRO.ORG MS Realm has servers and clients. It is also woking. All users are managed by AD in the MS realm. The name of MS realm is PRO.LOCAL We are trying to set up a cross realm trust. It is going to be a one way trust, MIT realm (PRO.ORG) will trust the MS realm. (PRO.LOCAL) When we boot a windows client (vista) it joins to the ms domain and gets krbtgt/PRO.LOCAL@PRO.LOCAL ticket as well as ldap/sdc01.pro.local@PRO.LOCAL ticket. To estabish the trust relationship, we have entered krbtgt/PRO.ORG@PRO.LOCAL to both kdc's. Their passwords are same, they are using the same encryption and their Kvno's are same. Until here all seems fine. I am trying to ssh from a windows machine to a Linux host. As far as I know it should work like this; ssh will do a dns search for the machine that I want to login ssh understands that target machine belongs to another realm ssh will ask to the kdc of its realm krbtgt/PRO.ORG@PRO.LOCAL ticket ssh gets this ticket and sends it to the kdc of other realm (PRO.ORG) kdc of PRO.ORG gets this ticket and communicates with kdc of PRO.LOCAL If they agree that the ticket is valid PRO.ORG 's kdc will send a host/ ticket ssh then uses this host ticket to establish a connection to the machine and logs in without a password The problem; From the ssh client when I say I want to ssh to a machine it directly goes to that system. It is kerberized (as far as I understand) but it never asks anything from its own kdc. ssh client : Kerberized putty from centrify ssh client : Power Term ssh client : Open ssh are the ones that I have tried. Regards, Aydin ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos