Win logon to a MIT Kerberos V KDC?

Turbo Fredriksson turbo at
Thu Sep 26 11:05:45 EDT 2002

>>>>> "Luke" == Luke Howard <lukeh at PADL.COM> writes:

    >> But as the KDC logs show, it seems like the login was
    >> successful. Do I have to have something more (Samba comes to
    >> mind)?

    Luke> SAMBA does not support the additional RPCs necessary for
    Luke> native Windows 2000 domain logon, so no, this won't help.

Just thinking that it might be a little like NSS/PAM. In Linux
I need Lib{PAM,NSS}-LDAP for uid/gid number mapping etc (authorization)
and LibPAM-Krb5 for password (authentication)...

Don't I need a authorization system as well on the Win host? Currently
I only have authentication... ?

    Luke> Did you map your account to a local account with ksetup?

Yes. Both 'turbo at REALM -> turbo' and '* *' (same on both hosts).

Since the mapping is supposed to be 1:1 (using userid from KDC),
the first mapping shouldn't be there, but... ?

    Luke> Did you set the machine password with ksetup and create a
    Luke> machine principal on your KDC with the same password?

Yes. I first tried with a random passwd and add that to the keytab.
I then found the link to the step-by-step guide, so I re-did it,
this time without adding it to the keytab.

Why do I need to create a machine account (using ksetup that is)?

More information about the Kerberos mailing list