Problems with interoperability among Kerberos MIT 5 and Win2K

Zdenek Hatas zdenek_hatas at hp.com
Mon Mar 25 03:55:33 EST 2002 

Hi,

I successfuly tested this issue.
You have to process following steps:
on MS w2k DC(W2K.TEST.REALM):
1. set trust to your MIT KDC
2. set mapping for users which are being autenticated to your MIT KDC

on MIT KDC(TEST.REALM) do:
1. recompile with a referral patch from
CITI(http://www.citi.umich.edu/u/kwc/krb5stuff/referral.html)
2. in database create krbtgt/W2K.TEST.REALM at TEST.REALM (with the same
password as typed in MS 'trust' dialog on W2k DC)

on client side:
1. get 'ksetup' tool( it resides on MS resourcekit CD, I think)
2. with ksetup do:
 ksetup /setdomain TEST.REALM
 ksetup /addkdc TEST.REALM kdc.test.realm
3. look into registry and search for
HKLM\System\CurrentControlSet\Control\LSA\Kerberos\Domains\TEST.REALM
 - add 'RealmFlags = 8' key key type is REG_DWORD

Now, it could be possible to authenticate to MIT and use services in
your W2k domain.
(You could see your MIT realm in 'domain list' in logon dialog).
I hope, I didn't forget anything. :-))


Zdenek Hatas



"Rafael Righi" <rafaelr at cpd.ufsm.br> wrote in message
news:Pine.A41.4.05.10201111533360.22842-100000 at saigon.cpd.ufsm.br...

> 
> Hello all,
> 
> 	I have a kdc ( kerberos 1.2.2 ) on linux machine and another
> machine with Windows 2000. I read "Step-by-step Guide to Kerberos 5
> Interoperability" from Microsoft site and execute the steps of "Setting
> Trust with a Kerberos Realm" section.
> 	The problem is: when I put a principal on win 2k logon don't work
> ( appear a error message ). I set the trusts ,the mapping beteween
> win2k user and kerberos user, sets the kdc machine and other things .
> In kdc.log appear this text:
> 
> Jan 11 15:09:05 machinekdc krb5kdc[5106](info): AS_REQ 20.xx.xx.11(88):
> ISSUE: authtime 1010768945, user at REALM for krbtgt/REALM at REALM
> 
> Jan 11 15:09:05 machinekdc krb5kdc[5106](info): TGS_REQ 20.xx.xx.11(88):
> ISSUE: authtime 1010768945, user at REALM for krbtgt/WIN2K at REALM
> 
> 	The "user" is autenticated successful against the krbtgt/REALM at REALM
> but the "user" don't is not autenticated with Windows 2000 (krbtgt/WIN2K at REALM ).
> 
> 	If anyone knows anything about this case , please send email to
> me. Thank you.
> 
> PS: An interisting event is that: a Heimdal implementation of Kerberos
> works well with the same kdc.conf and krb5.conf configuration. But I want
> to use MIT implementation instead. 
> 
> Rafael Righi
> 
> Brazil  
> 	 
> ____________________________________________________________________
> 
> Rafael da Rosa Righi   E-mail : rafaelr at cpd.ufsm.br
> 				rafaelrr at inf.ufsm.br
> Estagiario Set. Suporte. a Redes - Centro de Processamento de Dados 
> Curso de Ciencia da Computacao   - Universidade Federal de Santa Maria 
> 
> Brazil
> ____________________________________________________________________




-- 
Posted via Mailgate.ORG Server - http://www.Mailgate.ORG

More information about the Kerberos mailing list