Cross realm auth with MS Server 2003 and MIT kerb

Douglas E. Engert deengert at anl.gov
Mon Oct 25 09:28:14 EDT 2004



BarBaar wrote:
> Hi all,
> 
> I took a little step backward today. First I tried to acces a Debian
> telnet service with a WinXP client, and a Windows 2003 server KDC.
> This was no problem (the client is a member of the 2003 domain).
> 
> The next step was to authenticate on a MIT KDC with the WinXP client.
> The WinXP client needs the autenticate on the KDC. This first failed
> for the same reason as I described in the first post here (the KDC
> does receive the request (AS and TGS) but the the WinXP authentication
> did fail.
> 
> Then I started to read again in O'reilly's boek, and saw that there is
> more involved in getting a WinXP client to talk to a MIT KDC.
> 
> I needed to use ksetup:
> ksetup /setdomain TEST2.NL
> ksetup /addkdc TEST2.NL kdc.test2.nl 
> ksetup /addkpassword TEST2.NL
> ksetup /setmatchpassword winxp.test2.nl <password>

But I thought you said this XP box was a member of the domain. I believe
you  have now made it a member of the Kerberos realm, by the setdomain
and setpassword.

The point being that the last step of login is to get a host ticket
for the local machine. This in now obtained from TEST2.NL

> 
> After did I was able to use Kerberos on the WinXP box (and thus use
> MIT Kerberos)..
>

This may have worked for login but may not be what you want, as the
machine is not part of the domain. Remote access to the machine
like SMS may not work anymore.



> I never took those stepd before. Do I need to execute any of these
> commands on the 2003 server to make cross-realm auth possible? I am a
> little confused about this at the moment.
> 

You may need the addkdc and addpassword so that if the MS code needs
to contact the MIT KDC it can find it. But it should also be able to
find it using the DNS SRV records if you have them setup.


> Thanks,
> 
> Bart
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list