Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Windows kerberos trust relationship conundrum...
12 views
Skip to first unread message
Dyer, Rodney
Nov 5, 2012, 3:49:11 PM11/5/12
to kerb...@mit.edu
Hi,
I need some advice. I need to verify that an MIT/Windows trust option we've wanted to work, in fact cannot work. Can someone here maybe provide some insightful comments on our setup?
Given:
1. We have an existing Microsoft Win2k3 AD domain (MOSAIC.UNCC.EDU) in a cross-realm trust with an MIT KDC realm (UNCC.EDU).
2. Our XP clients are members of the Win2k3 domain.
3. Our XP users logon to the XP clients using their MIT realm credentials.
4. Once logged on to XP, our users access a CIFS share, hosted off of one of the Win2k3 domain servers. The access works without a password because the CIFS service ticket is served from the Win2k3 domain. The MIT user's "tgt" is "trusted".
This 'old' setup has worked fine for years.
Now for the 'new' setup...
1. We have setup a new Win2k8R2 domain "MOSAIC64.UNCC.EDU".
2. The Win2k8R2 domain is also in a cross-realm trust with the MIT realm "UNCC.EDU".
3. Our new Win7 clients are members of the Win2k8R2 domain.
4. Once logged on to Win 7, our user can access a CIFS share, hosted off of one of the Win2k8R2 domain servers. The access works without a password because the CIFS service ticket is served from the Win2k8R2 domain. The MIT user's "tgt" is "trusted".
This 'new' setup works just fine.
|----------------------|
| MIT REALM: UNCC.EDU |
|----------------------|
^ ^
| |
| |
| | AD1 trust |------| domain membership |-----------|
| --------------->| AD1 |<------------------| XP Client |<---[ us...@UNCC.EDU ]
| |------| |-----------|
| ^ ---------/
| | /
| |-------------------|/
| | AD CIFS VOL SHARE |
| |-------------------|
|
|
|
|
| AD2 trust |------| domain membership |-------------|
------------------------->| AD2 |<------------------| Win7 Client |<---[ us...@UNCC.EDU ]
|------| |-------------|
^ ---------/
| /
|-------------------|/
| AD CIFS VOL SHARE |
|-------------------|
Now for our 'problem'...
1. What we really need is for our XP and Win7 users to share the "same CIFS volume", either hosted off of the old Win2k3 CIFS share, or the new Win2k8R2 CIFS share. We want this...
|----------------------|
| MIT REALM: UNCC.EDU |
|----------------------|
^ ^
| |
| |
| | AD1 trust |------| domain membership |-----------|
| --------------->| AD1 |<------------------| XP Client |<---[ us...@UNCC.EDU ]
| |------| |-----------|
| ^ ---------/
| | /
| |-------------------|/
| | AD CIFS VOL SHARE |
| |-------------------|\
| \
| \------\
| \
| \
| AD2 trust |------| domain membership |-------------|
------------------------->| AD2 |<------------------| Win7 Client |<----[ us...@UNCC.EDU ]
|------| |-------------|
2. We are finding no way to configure trusts, or setup 'forest' trusts to allow sharing of a single CIFS share from both AD domains.
Does anyone know what, if any options we may have here?
It would seem that since our XP/Win7 clients can only be members of one domain, or the other, then we have no capability to provide authentication through to a non-member domain, even if it is also in the same cross-realm trust with the MIT KDC.
Essentially, "user@AD1_DOMAIN" (while logged on a client that is a "AD1_DOMAIN" member), can't be mapped to "user@AD2_DOMAIN", even if both domains are trusting "MIT.REALM", and the user has a "us...@MIT.REALM" TGT.
Is this reasoning correct?
Rodney
Rodney M. Dyer
Operations and Systems (Specialist)
Mosaic Computing Group
William States Lee College of Engineering
University of North Carolina at Charlotte
Email: rmd...@uncc.edu
Web: http://www.coe.uncc.edu/~rmdyer
Phone: (704)687-3518
Help Desk Line: (704)687-3150
FAX: (704)687-2352
Office: Cameron Hall, Room 232
I need some advice. I need to verify that an MIT/Windows trust option we've wanted to work, in fact cannot work. Can someone here maybe provide some insightful comments on our setup?
Given:
1. We have an existing Microsoft Win2k3 AD domain (MOSAIC.UNCC.EDU) in a cross-realm trust with an MIT KDC realm (UNCC.EDU).
2. Our XP clients are members of the Win2k3 domain.
3. Our XP users logon to the XP clients using their MIT realm credentials.
4. Once logged on to XP, our users access a CIFS share, hosted off of one of the Win2k3 domain servers. The access works without a password because the CIFS service ticket is served from the Win2k3 domain. The MIT user's "tgt" is "trusted".
This 'old' setup has worked fine for years.
Now for the 'new' setup...
1. We have setup a new Win2k8R2 domain "MOSAIC64.UNCC.EDU".
2. The Win2k8R2 domain is also in a cross-realm trust with the MIT realm "UNCC.EDU".
3. Our new Win7 clients are members of the Win2k8R2 domain.
4. Once logged on to Win 7, our user can access a CIFS share, hosted off of one of the Win2k8R2 domain servers. The access works without a password because the CIFS service ticket is served from the Win2k8R2 domain. The MIT user's "tgt" is "trusted".
This 'new' setup works just fine.
|----------------------|
| MIT REALM: UNCC.EDU |
|----------------------|
^ ^
| |
| |
| | AD1 trust |------| domain membership |-----------|
| --------------->| AD1 |<------------------| XP Client |<---[ us...@UNCC.EDU ]
| |------| |-----------|
| ^ ---------/
| | /
| |-------------------|/
| | AD CIFS VOL SHARE |
| |-------------------|
|
|
|
|
| AD2 trust |------| domain membership |-------------|
------------------------->| AD2 |<------------------| Win7 Client |<---[ us...@UNCC.EDU ]
|------| |-------------|
^ ---------/
| /
|-------------------|/
| AD CIFS VOL SHARE |
|-------------------|
Now for our 'problem'...
1. What we really need is for our XP and Win7 users to share the "same CIFS volume", either hosted off of the old Win2k3 CIFS share, or the new Win2k8R2 CIFS share. We want this...
|----------------------|
| MIT REALM: UNCC.EDU |
|----------------------|
^ ^
| |
| |
| | AD1 trust |------| domain membership |-----------|
| --------------->| AD1 |<------------------| XP Client |<---[ us...@UNCC.EDU ]
| |------| |-----------|
| ^ ---------/
| | /
| |-------------------|/
| | AD CIFS VOL SHARE |
| |-------------------|\
| \
| \------\
| \
| \
| AD2 trust |------| domain membership |-------------|
------------------------->| AD2 |<------------------| Win7 Client |<----[ us...@UNCC.EDU ]
|------| |-------------|
2. We are finding no way to configure trusts, or setup 'forest' trusts to allow sharing of a single CIFS share from both AD domains.
Does anyone know what, if any options we may have here?
It would seem that since our XP/Win7 clients can only be members of one domain, or the other, then we have no capability to provide authentication through to a non-member domain, even if it is also in the same cross-realm trust with the MIT KDC.
Essentially, "user@AD1_DOMAIN" (while logged on a client that is a "AD1_DOMAIN" member), can't be mapped to "user@AD2_DOMAIN", even if both domains are trusting "MIT.REALM", and the user has a "us...@MIT.REALM" TGT.
Is this reasoning correct?
Rodney
Rodney M. Dyer
Operations and Systems (Specialist)
Mosaic Computing Group
William States Lee College of Engineering
University of North Carolina at Charlotte
Email: rmd...@uncc.edu
Web: http://www.coe.uncc.edu/~rmdyer
Phone: (704)687-3518
Help Desk Line: (704)687-3150
FAX: (704)687-2352
Office: Cameron Hall, Room 232
Wilper, Ross A
Nov 5, 2012, 6:52:25 PM11/5/12
to Dyer, Rodney, kerb...@mit.edu
You can access more AD brainpower by posting this to acti...@mail.activedir.org or window...@lists.stanford.edu
-----
You are correct. The member server can only be a member of a single Kerberos realm (Active Directory domain) at any time.
----
My first thought is that you need to add Top-Level Name definitions to your trust relationships between your Active Directories and the MIT realm. Adding TLNs requires that you make the trusts forest transitive. TLNs tell Active Directory "send referrals for services with these (DNS) names thataway"
MOSAIC.UNCC.EDU trust needs TLNs UNCC.EDU and MOSAIC64.UNCC.EDU
MOSAIC64.UNCC.EDU trust needs TLNs UNCC.EDU and MOSAIC.UNCC.EDU
Not sure that the MIT realm will pass the referrals on through the chain nor do I know if transitive forest trusts through a non-Windows realm will work, but if it can, then you should be able to get all the necessary tickets no matter which domain/realm the server is in.
Second option may be to create a "shortcut" trust between MOSAIC and MOSAIC64. (I do not know without experimentation what impact will be of the MIT principal having two findable altSecurityIdentities mappings however. Having 2 in the same forest is bad, I don't know if 2 across two trusted forests is ok). The more I think about it, the more likely it seems that you will need to use this route to get it to work...
Grant the users that the MIT principals map to in both AD realms access on the resource.
-Ross
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-----
You are correct. The member server can only be a member of a single Kerberos realm (Active Directory domain) at any time.
----
My first thought is that you need to add Top-Level Name definitions to your trust relationships between your Active Directories and the MIT realm. Adding TLNs requires that you make the trusts forest transitive. TLNs tell Active Directory "send referrals for services with these (DNS) names thataway"
MOSAIC.UNCC.EDU trust needs TLNs UNCC.EDU and MOSAIC64.UNCC.EDU
MOSAIC64.UNCC.EDU trust needs TLNs UNCC.EDU and MOSAIC.UNCC.EDU
Not sure that the MIT realm will pass the referrals on through the chain nor do I know if transitive forest trusts through a non-Windows realm will work, but if it can, then you should be able to get all the necessary tickets no matter which domain/realm the server is in.
Second option may be to create a "shortcut" trust between MOSAIC and MOSAIC64. (I do not know without experimentation what impact will be of the MIT principal having two findable altSecurityIdentities mappings however. Having 2 in the same forest is bad, I don't know if 2 across two trusted forests is ok). The more I think about it, the more likely it seems that you will need to use this route to get it to work...
Grant the users that the MIT principals map to in both AD realms access on the resource.
-Ross
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
Douglas E. Engert
Nov 5, 2012, 10:17:52 PM11/5/12
to kerb...@mit.edu
On 11/5/2012 2:49 PM, Dyer, Rodney wrote:
> Hi,
>
> I need some advice. I need to verify that an MIT/Windows trust option we've wanted to work, in fact cannot work. Can someone here maybe provide some insightful comments on our setup?
>
I don't know if that would work.
Since your Kerberos realm is UNCC.EDU, you can't have both in the same forest,
as the top of the forest would have to be UNCC.EDU.
Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
0 new messages