Trust Relationship Issue

David Alexandre M. de Carvalho david at di.ubi.pt
Tue Nov 30 11:08:59 EST 2004 

Hi !
First of all I'd like to say that I've tried lot's of mailing lists
(microsoft too, in fact I'm still waiting some addiitonal info),
but the replies are contraditory, so I'm asking your help.

I have a Mac os X server 10.3.6 with openldap set up and already with user
accounts,and a kerberos REALM associated wich is the server complete name
in Uppercase
under "mydomain.pt".
I have also a Win2k3 Server enterprise edition with user accounts for wich
I've created the "win.mydomain.pt".
What I want to do, is use both domains to authenticate users from XP pro
workstations through a Trust Relationship between windows domain and
kerberos realm like the reference to trust relationships in
http://www.microsoft.com/TECHNET/prodtechnol/windows2000serv/howto/kerbstep.mspx#ECAA

What I did:

1 - windows (dc) - ksetup /addkdc MAC.MYDOMAIN.PT mac.mydomain.pt
2 - windows (dc) - create the  trust (I've tried all kinds of trust,
bidirectional, etc)

3 - windows (workstations) - ksetup /addkdc MAC.MYDOMAIN.PT mac.mydomain.pt
and a new domain (kerberos type) appears on the login window

4 - Open Directory (kdc)
addprinc krbtgt/WIN.MYDOMAIN.PT at MAC.MYDOMAIN.PT
addprinc krbtgt/MAC.MYDOMAIN.PT at WIN.MYDOMAIN.PT
 I've used the same passwords on the last 2 commands and on the trust
to avoid problems.

Supposely windows should trust mac os x server kdc to authenticate users,
and both mac and win server have user accounts.

Unfortunally this isn't working
I've also noted that in certain documentation, it's necessary to create
user mappings from the windows domain to the kerberos domain, wich is
something that I don't want, because this envolves account duplication,
and I want to use one server or another to authenticate.
I've appended keytab information generated on the win2k3 server to the
kadm5.keytab, still didn't worked.

Through ethereal, i get "KRB ERROR: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN"
and another "e-text: SERVER_NOT_FOUND"

What am I doing wrong in my procedure ?
Thank you very much
Best regards

David

More information about the Kerberos mailing list