w2k client login to kerberos realm

Brian Thompson brianpm at ghidra.eng.wayne.edu
Wed Nov 13 05:16:29 EST 2002

davespam at microsoft.com ("Actually davidchr") wrote in message news:<4AEE3169443CDD4796CA8A00B02191CD0AFB9F5B at win-msg-01.wingroup.windeploy.ntdev.microsoft.com>...
> It sounds like you've got local mappings (ksetup /mapuser * *) but you
> really want domain mappings (either or both will work, depending on your
> needs).  
> If you want AD domain accounts to serve as proxy accounts for purposes
> of authorizing principals from trusted non-Windows realms, then you can
> use ksetup to configure each proxy account (you can't ksetup /mapuser *
> * at the domain level-- it only works for local accounts):
> ksetup /domain WINDOWS.DOMAIN.COM /mapuser foo at REALM.COM
> windows-accountname
> This is explained in greater depth in our whitepapers somewhere, though
> I don't have a bookmark handy to provide reference.
> -----
> This message is provided "AS IS" with no warranties, and confers no
> rights.
> Message may originate from an unmonitored alias ("davespam").  If so,
> use "davidchr" if a direct reply is required. 
> Any opinions or policies stated within are my own and do not necessarily
> constitute those of my employer.
> I reside in Washington, USA, where Title 19 declares that sending me
> Unsolicited Commercial Email can result in a $500 fine.
> Harvesting of this address for purposes of bulk email (spam and UCE) is
> expressly prohibited unless by my explicit prior request.  I retaliate
> viciously against spammers and spam sites.
> > -----Original Message-----
> > From: Brian Thompson [mailto:brianpm at ghidra.eng.wayne.edu] 
> > Sent: Sunday, November 10, 2002 1:37 PM
> > To: kerberos at mit.edu
> > 
> > Hi all, I'm having a problem logging into a
> > non-windows kerberos realm from a w2k 
> > workstation. The same realm username/password
> > works fine on the AD server due to a trust
> > and the w2k workstation can log in using
> > either a local account or an AD domain account.
> > The non-windows realm is on the domain pull-down
> > on the w2k workstation but logins don't work
> > unless I create a local account on the w2k 
> > workstation with the same name as the kerberos 
> > username. If I delete the local account it 
> > doesn't work. There is an account in the AD 
> > server with the same username which is the 
> > proxy account that I really want to use.
> > 
> > Without the local account, I get two different
> > symptoms depending on whether or not I have
> > a "ksetup /mapuser * *" defined on the w2k
> > workstation. If username mapping is defined, I
> > get an error message about not being able to
> > map a SID to the username. If username mapping
> > isn't defined, I get the regular failed login
> > message.
> > 
> > Any assistance would be greatly appreciated!
> > 
> > Thanks,
> > Brian
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos

Thanks all! That basically did the trick. For some
reason specifying the domain name croaked but using
the /domain argument without specifying an actual
domain name worked.

Here's a cut/paste of what the results were:

E:\t>ksetup /domain igloo.wayne.edu /mapuser kbrian at WAYNE.EDU kbrian
Connecting to specified domain igloo.wayne.edu...
Ldap open failed for \\aeolus.igloo.wayne.edu: 0x3a.
Could not guess user's domain.
  Please specify domain on command line and try again.
/Domain failed: 0xc0000001.
E:\t>ksetup /domain /mapuser kbrian at WAYNE.EDU kbrian
Using domain IGLOO.WAYNE.EDU.
Mapping created successfully.

Thanks again for everyone's help! Problem solved.


More information about the Kerberos mailing list