Problems with Active Directory / MIT Kerberos trust and authentication
Mark Hendricks
mdh3 at humboldt.edu
Fri Mar 26 13:00:46 EST 2004
Hello,
I have a MIT Kerberos KDC. I am trying to establish a trust relationship
between my MIT Kerberos KDC (<UNIX-REALM>) and a Windows 2003 Server Active
Directory.
I established the trust relationship (based on O'Reilly's Kerberos
Definitive Guide) as well as the Microsoft Win2k paper.
As I understand it, I should NOT have to create a host principal on my unix
KDC for the Active Directory Workstations. Also, I should NOT need to share
keytabs between the AD server and the Unix KDC.
When a user on a workstation the belongs to the AD domain attempts to log-in
I get the following entries on my kdc.
1. The user is issued a ticket on my realm.
2. The AD appears to be issuing a ticket granting ticket.
3. If I do not add a host principal for the workstation into my unix realm,
the host is not issued a ticket (unknown host). If I add the host's FQDN as
a host principal on my Unix realm, a ticket is grants (see below).
4. Either way, the user is not allowed to login to the workstation.
Mar 25 15:02:31 my.unix-kdc.hostname krb5kdc[15114](info): AS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) IPADDRESS.253: ISSUE: authtime 1080255751,
etypes {rep=3 tkt=16 ses=1}, user@<UNIX-REALM> for
krbtgt/<UNIX-REALM>@<UNIX-REALM>
Mar 25 15:02:31 my.unix-kdc.hostname krb5kdc[15114](info): TGS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) IPADDRESS.253: ISSUE: authtime 1080255751,
etypes {rep=1 tkt=3 ses=1}, user@<UNIX-REALM> for
krbtgt/<AD-REALM>@<UNIX-REALM>
Mar 25 15:02:31 my.unix-kdc.hostname krb5kdc[15114](info): TGS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) IPADDRESS.253: ISSUE: authtime 1080255751,
etypes {rep=1 tkt=16 ses=1}, user@<UNIX.REALM> for
host/workstation.adrealm.realm.edu@<UNIX.REALM>
I would appreciate information that would help solve this problem.
Thanks
More information about the Kerberos
mailing list