[sphen]

ill have to take a look at that. thanks for the info!

[sphen]

yes that makes sense. I guess im not exactly clear on what i want – i had figured out that having services respect both OD and AD kerberos tokens requires the trust between the two realms – something that is not really necessary and i dont care about.

but i am also very interested in the OD binding issue as stated above as well.. any input on that?

[sphen]

Just to let you know that you arent the only one trying to figure this out. I have for the last week or so off and on been working with AD and OD interoperation, and have come across this exact problem you are describing.

It is most definitely a Kerberos problem. As for how to fix it I am not sure at this point. I may go into the edu.mit.Kerberos config file and make some manual modifications. But in general setting up single sign on for the server i notice that each service, be it afp, smb, ssh etc can respect service tokens for one kerberos realm only. I would really like things like ssh to respect a token whether it came from the OD KDC or the AD KDC. but im not sure if thats possible. The problem i think we are running into is that the AD kerberos realm is the default in the server and when the LDAP plug in for directory service starts up it tries to authenticate with the OD master using a kerberos but fails. as for is this is more a loginwindow problem or what im not sure.

This this ended up being more confusing than helping – but I have to assume that someone has run into this or has a more in depth understanding of things to point us in the right direction.

[Author]

Posts