w2k client login to kerberos realm

Actually davidchr davespam at microsoft.com
Tue Nov 12 16:49:34 EST 2002 

It sounds like you've got local mappings (ksetup /mapuser * *) but you
really want domain mappings (either or both will work, depending on your
needs).  

If you want AD domain accounts to serve as proxy accounts for purposes
of authorizing principals from trusted non-Windows realms, then you can
use ksetup to configure each proxy account (you can't ksetup /mapuser *
* at the domain level-- it only works for local accounts):

ksetup /domain WINDOWS.DOMAIN.COM /mapuser foo at REALM.COM
windows-accountname

This is explained in greater depth in our whitepapers somewhere, though
I don't have a bookmark handy to provide reference.

-----
This message is provided "AS IS" with no warranties, and confers no
rights.
Message may originate from an unmonitored alias ("davespam").  If so,
use "davidchr" if a direct reply is required. 
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
I reside in Washington, USA, where Title 19 declares that sending me
Unsolicited Commercial Email can result in a $500 fine.
Harvesting of this address for purposes of bulk email (spam and UCE) is
expressly prohibited unless by my explicit prior request.  I retaliate
viciously against spammers and spam sites.
  
> -----Original Message-----
> From: Brian Thompson [mailto:brianpm at ghidra.eng.wayne.edu] 
> Sent: Sunday, November 10, 2002 1:37 PM
> To: kerberos at mit.edu
> 
> Hi all, I'm having a problem logging into a
> non-windows kerberos realm from a w2k 
> workstation. The same realm username/password
> works fine on the AD server due to a trust
> and the w2k workstation can log in using
> either a local account or an AD domain account.
> The non-windows realm is on the domain pull-down
> on the w2k workstation but logins don't work
> unless I create a local account on the w2k 
> workstation with the same name as the kerberos 
> username. If I delete the local account it 
> doesn't work. There is an account in the AD 
> server with the same username which is the 
> proxy account that I really want to use.
> 
> Without the local account, I get two different
> symptoms depending on whether or not I have
> a "ksetup /mapuser * *" defined on the w2k
> workstation. If username mapping is defined, I
> get an error message about not being able to
> map a SID to the username. If username mapping
> isn't defined, I get the regular failed login
> message.
> 
> Any assistance would be greatly appreciated!
> 
> Thanks,
> Brian
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list