Win logon to a MIT Kerberos V KDC?

[Turbo Fredriksson]

[let's keep this on the list]

Quoting "Eric Lee Steadle" <esteadle at spinnakernet.com>:

> Did you read this MS document? 
> [...]
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

Yes, I found that eventually.

> I've followed the steps and it definitely works.

It only halfway for me. Looking at the MIT Kerberos V KDC logs, i see that 
the win client seems to be getting a ticket:

----- s n i p -----
rmgztk:~# tail -f /var/log/kerberos/krb5kdc.log -n0
Sep 26 15:58:32 rmgztk krb5kdc[1075](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): NEEDED_PREAUTH: turbo@<MYREALM.TLD> for krbtgt/<MYREALM.TLD>@<MYREALM.TLD>, Additional pre-authentication required
Sep 26 15:58:32 rmgztk krb5kdc[1075](info): AS_REQ (2 etypes {3 1}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033048712, etypes {rep=3 tkt=16 ses=1}, turbo@<MYREALM.TLD> for krbtgt/<MYREALM.TLD>@<MYREALM.TLD>
Sep 26 15:58:32 rmgztk krb5kdc[1075](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) <IP_OF_FIREWALL_AT_HOME>(88): ISSUE: authtime 1033048712, etypes {rep=1 tkt=16 ses=1}, turbo@<MYREALM.TLD> for host/majorskan.<MYDOMAIN.TLD>@<MYREALM.TLD>
----- s n i p -----

But I don't get logged in. The login say:

----- s n i p -----
The system could not log you on. Make sure your User name and domain are correct,
then type your password again. Letters in passwords must be typed using the correct
case. Make sure that Caps Lock is not accidentally on.
----- s n i p -----

I'm trying to login with my username (without the realm etc) and

Log on to: <MYREALM.TLD> (Kerberos Realm)



But as the KDC logs show, it seems like the login was successful. Do I have to
have something more (Samba comes to mind)?


Also, the KDC is on the 'Net, but the client is behind a masquerading Linux
firewall (have no problem with auth on a Linux client using LibNSS-LDAP/LibPAM-LDAP
with LibPAM-Krb5 etc).