Problems with Active Directory / MIT Kerberos trust and authentication

[Mark Hendricks]

Hello,

I have a MIT Kerberos KDC.  I am trying to establish a trust relationship
between my MIT Kerberos KDC (<UNIX-REALM>) and a Windows 2003 Server Active
Directory.

I established the trust relationship (based on O'Reilly's Kerberos
Definitive Guide) as well as the Microsoft Win2k paper.

As I understand it, I should NOT have to create a host principal on my unix
KDC for the Active Directory Workstations.  Also, I should NOT need to share
keytabs between the AD server and the Unix KDC.

When a user on a workstation the belongs to the AD domain attempts to log-in
I get the following entries on my kdc.

1.  The user is issued a ticket on my realm.
2.  The AD appears to be issuing a ticket granting ticket.
3.  If I do not add a host principal for the workstation into my unix realm,
the host is not issued a ticket (unknown host).  If I add the host's FQDN as
a host principal on my Unix realm, a ticket is grants (see below).
4.  Either way, the user is not allowed to login to the workstation.


Mar 25 15:02:31 my.unix-kdc.hostname krb5kdc[15114](info): AS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) IPADDRESS.253: ISSUE: authtime 1080255751,
etypes {rep=3 tkt=16 ses=1}, user@<UNIX-REALM> for
krbtgt/<UNIX-REALM>@<UNIX-REALM>
Mar 25 15:02:31 my.unix-kdc.hostname krb5kdc[15114](info): TGS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) IPADDRESS.253: ISSUE: authtime 1080255751,
etypes {rep=1 tkt=3 ses=1}, user@<UNIX-REALM> for
krbtgt/<AD-REALM>@<UNIX-REALM>
Mar 25 15:02:31 my.unix-kdc.hostname krb5kdc[15114](info): TGS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) IPADDRESS.253: ISSUE: authtime 1080255751,
etypes {rep=1 tkt=16 ses=1}, user@<UNIX.REALM> for
host/workstation.adrealm.realm.edu@<UNIX.REALM>


I would appreciate information that would help solve this problem.

Thanks