ACD Linux System Administration notes

ACD Linux System Administration

Kerberos Notes

25-October-2002
Kerberos Testbed Notes are here

Steps to creating pass-through Authentication

So what we want to achieve is pass-through Authentication. Microsoft describes the process here The article is long but the only part we're really intersted in is the section "Setting Trust with a Kerberos Realm".

So to do pass-through authentication, we'll have to:

Configure each workstation: Each workstation has to have the MIT Kerberos Realm defined for it. If the MIT Kerberos Realm is called UCAR.EDU, then this is done with the ksetup command:
```
C:\ Ksetup /addkdc UCAR.EDU kdc.realm.ucar.edu
```
Help the Windows KDC trust the MIT Kerberos Realm:
- On the domain controller for cit.ucar.edu, use the following command to set up the configuration for the MIT Kerberos realm (the computer will need to be restarted before this setting will be used):
```
C:> Ksetup /addkdc UCAR.EDU kdc.realm.ucar.edu
```
- Start the Domain Tree Management tool. Click Programs, then Administrative tools, and then Active Directory Domains and Trusts.
- Right-click on Properties of your domain, then select the Trust tab and press Add.
- The passwords used in this step are described below when we help the MIT Kerberos Realm to trust the Windows KDC.
- Create a trusted domain relationship with the MIT Kerberos realm. When prompted if this is a non-Windows Kerberos Realm, click OK.
Help the MIT Kerberos Realm to trust the Windows KDC: Use the following MIT Kerberos administration commands to create cross-realm principals in the foreign MIT realm (note that the program is typically run on a UNIX system):
```
      % Kadmin -q "ank -pw password krbtgt/CIT.UCAR.EDU@UCAR.EDU"
      % Kadmin -q "ank -pw password krbtgt/UCAR.EDU@CIT.UCAR.EDU"
```
Create Account Mappings: We may have to create account mappings between domain accounts and MIT Kerberos Realm accounts, even though we are using common usernames. These mappings are set up the Active Directory Management Tool. Once the mappings are set up, users should be able to change their Kerberos realm passwords from the CTRL-ALT-DEL sequence.
- Start the Directory management tool. Point to programs, then Administrative tools, then Active Directory Users and Computers.
- Start advanced features by clicking "View", and then "Advanced Features".
- Locate the account to which you want to create mappings. Right click to view "Name Mappings".
- Click the "Kerberos Names" mappings tab.
- Add a principle from the Unix based MIT realm. For example "fredrick@ucar.edu". Can we automate this in some way or do it by batch? This will be a lot of clicking for the hundreds of accounts that might be in a typical division.