hi folks,
Hoping someone can help. We have a sles 11 sp4 server that can authenticate ok to an overall domain and subdomains that have trusts. Our krb5.conf just has the overall domain in it and the subdomains do work as if by magic.
Apache 2.2.23, mod_auth_kerb 5.4.
We have a new domain thats been added to the trusts of this overall domain as a one way trust - it trusts the overall domain. I'm told this means the groups are nested in this overall domain. I can run wbinfo -u "subdomain/user" and pull back the sid. I can't however check the group for example with wbinfo -g group, or the whole domain with wbinfo -u | grep subdomain which I can with the others.
I'm thinking this isn't working because of the one way trust and mod_auth_kerb is seeing them as on pass through user@subdomain and not this overall nested domain - is there any way to get this to work in krb5 config perhaps or active directory config thats missing ?
The apache error is "invalid token, no error" and sometimes "client not found in kerberos database". They get login prompted their end and do have integrated windows authentication ticked. Am I even on the right track ? Any pointers much appreciated or even how to debug it further. Thanks
Ely