MIT Realm Trust intransitivity?

• Previous message: Jeff Cochran: "Re: Log Files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 26 Feb 2004 08:36:05 -0800

When creating an outgoing trust to a MIT Kerberos 5 realm, one of the dialogs that pops up states:

"Transitive: if client computers are configured to take advantage of
transitive trusts, the trust is bounded by the domain and the realm in the
relationship and the children of the domain and the realm in the
relationship."

What this implies--and what seems to be confirmed by our testing--is that if we have a "dedicated forest root" with no users, we can't have one child domain with all our users, map those users to MIT Kerberos realm principals, and then have users authenticate to the MIT realm and access resources in other child domains, because the trust with the MIT realm is not truly transitive--it can only descend the tree, not traverse back up to the root domain and then back down to another child domain. Is there a workaround or scheme for making cross-domain access to resources possible, other than creating explicit trusts between all child domains?

Can we, for instance create an outgoing trust to an MIT realm in the dedicated forest root, but map users who reside in child domains to MIT principals, rather than having those users actually reside in the forest root? Logically, this would seem to work; and organizationally, it's preferable for us to leave our users in child domains for many reasons, control and responsibility among them. However, it doesn't address the problem of "transitive" trusts that really aren't.

This article has a brief explanation of the "dedicated forest root" concept: http://www.winnetmag.com/Article/ArticleID/23521/23521.html

Thanks as always-

James Ervin
Chapel Hill, NC

• Previous message: Jeff Cochran: "Re: Log Files"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: How to use SSPI to validate a domain user in another forest ... The forests have no trust. ... In attempting impersonation you are asking one realm to trust the ... > forest as where the program is running. ... > impersonate, we find the client's identity is ANONYMOUS logon, which is ... (microsoft.public.win2000.security) Re: active directory auth against MIT via AD-LDAP ... altsecurityidentities field - then one sees the MIT Kerb realm in the Active ... trust when I am connecting to the active directory ldap interface? ... ldap bind to AD-LDAP via SSL ... active directory receives the username and password and via its kerberos ... (comp.protocols.kerberos) Re: AW: Using a Kerberized application outside the Kerberos Realm ... If Alice can share a key with the KDC then Alice can be issued a service ... Betreff: Re: Using a Kerberized application outside the Kerberos Realm ... Is it possible to create a kerberized service that is not part of the Kerberos realm? ... establishing trust between Alice and Bob. ... (comp.protocols.kerberos) Re: Authenticating Windows 2003 users to a central LDAP ... the thing you want to do is to create a cross-realm trust such that the Windows domain trusts your realm NYU.EDU. ... The thing which is relevant for you is the section about "Setting Trust With a Kerberos Realm" ... Do your users want the best web-email gateway? ... (comp.protocols.kerberos) Re: Joining a multiple realm AD environment ... There are users setup in each realm ... We have SRV records setup for kdc lookup. ... doing something wrong or if I simply need to get a computer account ... Are you two AD's setup with a trust relationship? ... (comp.protocols.kerberos)