cosign and kerberos

["Goldrick, Jim" <jgoldrick@xxxxxxxxxxxxxxxxx>]

Hi all,

Ok, we have cosign running and authenticating to Active Directory, which does not require a kerberos server to authenticate to (other than the AD).  Now, I need to authenticate to another KDC that has different users than in AD.  So, i have some questions.

Can I use 2 kdc's in my default realm that don't share the same users or can I setup a cross-realm mapping for 2 kdc's?  Any examples would be welcome.

I have a KDC setup on our test machine and can kinit from our cosign machine with myself/admin.  However, I cannot kinit cosign.  I get a invalid password.  Here is how I added cosign from the cosign machine.
kadmin
addprinc cosign/FQDN_cosign_server
add password and verify
ktadd -k /etc/keytab.cosign


As I said, though, I get an invalid password error whenever I try to kinit it from the cosign server.  Am I not setting it properly?  I've deleted the cosign and re-added, but no use. Also, do I need to add the /etc/krb5.keytab file to the cosign configuration/Apache configuration?  Or will it default there?  How about the keytab.cosign?

What do the apache configs for kerberos do?  I've somewhat confused.

	CosignTicketPrefix	[ the path to the Kerberos ticket store ]
	CosignGetKerberosTickets	[ on | off ]
	    module asks for tgt from cosignd

	CosignKerberos524		[ on | off ]	
	    whether you want K5 tgt converted to K4 tgt

	CosignKerberosSetupGSS		[ on | off ]
	    setup the enviornment so that other apache modules
	    that need GSSAPI/Kerberos work. e.g. IMP running under mod_php
	CosignGetProxyCookies	[ on | off ]
	    module asks for proxy cookies from cosignd

Thanks much,

jim