Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Cross realm problem
6 views
Skip to first unread message
jm130794
Jun 4, 2012, 9:47:28 AM6/4/12
to kerb...@mit.edu
Hello,
I've created a cross realm between a MIT Kerberos and a AD. All works fine.
My users can use their MIT principal to open a AD session.
Now, I have a user which wants to use his home computer to access to his AD
home directory. My problem is he cannot be authenticated with his MIT
account. His computer is not member the AD (I don't have access to it).
Is it possible to my user to access to his AD home directory (or other
shares) from his home ?
Thanks
I've created a cross realm between a MIT Kerberos and a AD. All works fine.
My users can use their MIT principal to open a AD session.
Now, I have a user which wants to use his home computer to access to his AD
home directory. My problem is he cannot be authenticated with his MIT
account. His computer is not member the AD (I don't have access to it).
Is it possible to my user to access to his AD home directory (or other
shares) from his home ?
Thanks
Wilper, Ross A
Jun 4, 2012, 11:28:46 AM6/4/12
to jm130794, kerb...@mit.edu
The user will have to connect to their home directory using a credential from Active Directory (using NTLM auth).
Windows computers will not use Kerberos unless they are:
Professional, Enterprise, or Ultimate edition
Joined to a domain (Or "joined" to an MIT/heimdahl realm)
-Ross
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
Windows computers will not use Kerberos unless they are:
Professional, Enterprise, or Ultimate edition
Joined to a domain (Or "joined" to an MIT/heimdahl realm)
-Ross
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
Douglas E. Engert
Jun 4, 2012, 11:33:05 AM6/4/12
to kerb...@mit.edu
On 6/4/2012 8:47 AM, jm130794 wrote:
> Hello,
>
> I've created a cross realm between a MIT Kerberos and a AD. All works fine.
> My users can use their MIT principal to open a AD session.
>
> Now, I have a user which wants to use his home computer to access to his AD
> home directory. My problem is he cannot be authenticated with his MIT
> account. His computer is not member the AD (I don't have access to it).
>
> Is it possible to my user to access to his AD home directory (or other
> shares) from his home ?
Google for: access 2008 share from non domain
or: access CIFS share from non domain
He could use Remote Desktop Connection from home PC to work PC. And if he
really needs access to files from both, use the RDC to give the work PC
access to the home PC's disks.
>
> Thanks
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
> Thanks
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
Douglas E. Engert <DEEn...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Robert Wehn
Jun 6, 2012, 4:04:41 PM6/6/12
to Kerberos
On Mon, 4 Jun 2012 15:28:46 +0000, "Wilper, Ross A" <rwi...@stanford.edu>
wrote:
the "Joint to a Domain" function (Vista? no Idea)
manage all the Cross Realm thing:
- Have both Realms in Registry (with the KDCs, or DNS Lookup)
- Do the host-to-realm mapping
Both things may be done with the ksetup command, but every client needs
it configured locally, as there's no help from AD/GPO/whatever to do that
on a single client.
Then you can use
net use \\server-fqdn\share /USER:user...@MITRELM.MYDOMAIN (or use
explorer)
and the host to realm has to lead the client aplication to
1. Get a TGT for username from MITRELM.MYDOMAIN kdc
2. Get a Cross-Realm-Ticket for ADRELM.MYDOMAIN from MITRELM.MYDOMAIN kdc
3. Get a serve...@ADRELM.MYDOMAIN ticket from ADRELM.MYDOMAIN kdc (AD
Controller)
4. Start the SMB Session
2nd Problem:
All the Clients Apps have to do this alone:
We actially failed in trying to do this with Outlook and Exchange.
The Exchange Server can do this, so Web access works with
user...@MITRELM.MYDOMAIN
The Outlook Client is not able to manage this, even on an AD Joined
Machine
>> home directory. My problem is he cannot be authenticated with his MIT
>> account. His computer is not member the AD (I don't have access to it).
Jou would have to open the Kerberos Ports for all KDCs to the outside.
For DNS Use for
REALM -> KDC and
SERVICE-fqdn -> REAM
matching all the Service records have to be readable from World
> He could use Remote Desktop Connection from home PC to work PC. And if
he
> really needs access to files from both, use the RDC to give the work PC
> access to the home PC's disks.
this is the easy way out ;-)
Robert
--
Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028
wrote:
> The user will have to connect to their home directory using a credential
> from Active Directory (using NTLM auth).
>
> Windows computers will not use Kerberos unless they are:
> Professional, Enterprise, or Ultimate edition
With Win XP this was no Problem, but in Win7 the Home Editions don't have
> from Active Directory (using NTLM auth).
>
> Windows computers will not use Kerberos unless they are:
> Professional, Enterprise, or Ultimate edition
the "Joint to a Domain" function (Vista? no Idea)
> Joined to a domain (Or "joined" to an MIT/heimdahl realm)
In Principle it Works, but it's very complicated, as the Client hast to
manage all the Cross Realm thing:
- Have both Realms in Registry (with the KDCs, or DNS Lookup)
- Do the host-to-realm mapping
Both things may be done with the ksetup command, but every client needs
it configured locally, as there's no help from AD/GPO/whatever to do that
on a single client.
Then you can use
net use \\server-fqdn\share /USER:user...@MITRELM.MYDOMAIN (or use
explorer)
and the host to realm has to lead the client aplication to
1. Get a TGT for username from MITRELM.MYDOMAIN kdc
2. Get a Cross-Realm-Ticket for ADRELM.MYDOMAIN from MITRELM.MYDOMAIN kdc
3. Get a serve...@ADRELM.MYDOMAIN ticket from ADRELM.MYDOMAIN kdc (AD
Controller)
4. Start the SMB Session
2nd Problem:
All the Clients Apps have to do this alone:
We actially failed in trying to do this with Outlook and Exchange.
The Exchange Server can do this, so Web access works with
user...@MITRELM.MYDOMAIN
The Outlook Client is not able to manage this, even on an AD Joined
Machine
>> home directory. My problem is he cannot be authenticated with his MIT
>> account. His computer is not member the AD (I don't have access to it).
For DNS Use for
REALM -> KDC and
SERVICE-fqdn -> REAM
matching all the Service records have to be readable from World
> He could use Remote Desktop Connection from home PC to work PC. And if
he
> really needs access to files from both, use the RDC to give the work PC
> access to the home PC's disks.
Robert
--
Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028
0 new messages