MIT Kerberos and Windows 2008 R2 Trust relationship misunderstanding
Guillaume Rousse
Guillaume.Rousse at inria.fr
Tue Mar 9 17:51:53 EST 2010
Le 08/03/2010 14:21, Frederic SOULIER a écrit :
> I'm beginner in Kerberos and AD but i'm thinking using trust
> relationship between MIT and AD could avoid this request because of the
> Windows 7 client, integrated in AD domain, should request directly the
> AD and not the MIT Kerberos after the first authentication.
>
> Perhaps i'm making a mistake but i find poor/any documentation about it...
>
> If anyone can provide help or advice.....
If the machine ask the MIT KDC a ticket for a given service, it probably
believes the service belong to the Kerberos realm managed by this
server, instead of the Kerberos realm from AD. As windows mainly use DNS
records for its kerberos configuration, I'd rather check your DNS setup.
Also, it might have asked the AD KDC, and this last one replies with a
reference. You should check in AD logs (kerberos logging level can be
modified), or use a network sniffer to get sure.
Last thing to check, if you use a test user from AD to log on the same
windows 7 host, does it still tries to aquire its CIFS ticket from the
MIT KDC ?
--
Guillaume Rousse
Service des Moyens Informatiques
INRIA Saclay - Île-de-France
Parc Orsay Université, 4 rue J. Monod
91893 Orsay Cedex France
Tel: 01 69 35 69 62
More information about the Kerberos
mailing list