2.18. Creating a Trust to a Kerberos Realm
Problem
You want to create a trust to a Kerberos realm.
Solution
Using a graphical user interface
Open the Active Directory Domains and Trusts snap-in.
In the left pane, right-click the domain you want to add a trust for and select Properties.
Click on the Trusts tab.
Click the New Trust button.
After the New Trust Wizard opens, click Next.
Type the name of the Kerberos realm.
Select the radio button beside Realm Trust and click Next.
Select either Transitive or Nontransitive and click Next.
Select Two-way, One-way incoming, or One-way outgoing and click Next.
Enter and retype the trust password and click Next.
Click Next and click Finish.
Using a command-line interface
> netdom trust <ADDomainDNSName> /Domain:<KerberosRealmDNSName>[RETURN] /Realm /ADD /PasswordT:<TrustPassword>[RETURN] [/UserO:<ADDomainAdminUser> /PasswordO:*]
The <TrustPassword>
has to match what was set on the Kerberos
side. To create a realm trust from the rallencorp.com domain to the Kerberos realm
called kerb.rallencorp.com, use
the following command:
> netdom trust rallencorp.com /Domain:kerb.rallencorp.com[RETURN] /Realm /ADD /PasswordT:MyKerbRealmPassword[RETURN] /UserO:administrator@rallencorp.com /PasswordO:*
Discussion
You can create a Kerberos realm trust between an Active Directory domain and a non-Windows Kerberos v5 realm. A realm trust can be used to allow clients from the non-Windows Kerberos realm to access resources in Active Directory, and vice versa. See Recipe 18.7 ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
