MIT/Win2k/XP Kerberos trust relationship bug?

Wachdorf, Daniel R drwachd at sandia.gov
Tue Jul 13 17:19:45 EDT 2004


Sorry, I misspoke earlier, I do notice similar behavior, but once I access
anything requiring Kerberos (SPNEGO) I get tickets.

I do notice that I don't get CIFS tickets, which may be the bug that Rodney
refered to.  If you unsync the passwords between the mit realm and the ad
realm, NTLM won't ever work, it forces Kerberos.

-dan

> -----Original Message-----
> From: Brian Davidson [mailto:bdavids1 at gmu.edu]
> Sent: Tuesday, July 13, 2004 12:39 PM
> To: kerberos at mit.edu
> Subject: Re: MIT/Win2k/XP Kerberos trust relationship bug?
> 
> Yes, this is what I'm talking about.  I see this issue on every single
> Windows XP system I've tried it on (quite a few).
> 
> When I unlock the workstation, I have a TGT for the MIT realm, and a
> host ticket for the AD realm.  All other AD tickets are gone, including
> the cross realm TGT for the AD and the LDAP and CIFS tickets from the
> AD realm.
> 
> What's even more troubling is that sometimes I still can access some
> shares, even without a ticket.  But that's a separate issue...
> 
> Brian
> 
> On Jul 13, 2004, at 2:27 PM, Wachdorf, Daniel R wrote:
> 
> > Are you talking a login using the windows gina and typing in
> > username at MIT.REALM?  Which then uses trust between MIT.REALM and
> > ACTIVEDIRECTORY.REALM?
> >
> > When I run that, I don't have the problem.  I can lock my XP box fine,
> > come
> > back and I still have my tgt for mit.realm and the cross realm ticket
> > for
> > activedorectory.realm.  further requests for tickets work fine.
> >
> > -dan
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list