AD Domain Authentication to MIT Kerb V

Fri Feb 18 15:58:52 EST 2005

Douglas E. Engert wrote:

>
>
> Matt Joyce wrote:
>
>> So I can authenticate on my 2003 AD box to my MIT Kerb V realm and 
>> login as my mapped user.
>>
>
> Note that this may be letting you login to a local account on the machine
> not nessesarily the domain.
>
Okay so How can I test to see if I am capable of logging into the domain 
using my Kerb V principle?

>> I've gone over my docs a few times.  Checked my is and ts for dots 
>> and crosses.
>>
>> I am befutteled (spelling?).
>> Do I create DNS entries for the Real name as if it was a Domain?
>
>
>
> The SRV records for _kerberos._tcp.<realmanme> and 
> _kerberos._udp.<realmname>
> can be used by both Kerberos libs and the built in Windows Kerberos when
> used with AD. This is a minor issue.
>
I've already added these entries.

>> Do I synch Domain username passwords to their mapped principals and 
>> expect my MIT realm tickets to show up in leash along with the Domain 
>> Tickets I see?
>
>
>
> Confusing question which might be answered by the reference below.
>
>> Are the domain tickets I am seeing for the domain really MIT Kerb 5 
>> tickets?  Are they related to the service tgt I created for AD?
>>
>
> They are all Kerberos 5 tickets, issued by different realms.
> I hope you are not trying to have a domain with its DCs, and a realm
> with its KDCs with the same name. This will get two confusing
> and will not interoperate. But what you can do is have
> different names for the domain and realm and do cross realm
> between them.
>
> AD uses kerberos for authtication, and can act as a KDC. In this
> case the relam name is the uppercase domain name. But AD adds a PAC
> to the tickets with authorization info which a non-AD KDC will not.
> The not-AD KDC will copy the PAC from a TGT to a service ticket
> if it is foundin the TGT such as cross realm form AD to non-AD.

> The PAC has the groups and other authorization stuff from the AD account.
>
My Kerb V realm name is indeed different from my domain name.  So I am 
well aware of which is which when referenced.

I am only seeing tickets from my AD domain realm.  I am not seeing any 
tickets seemingly issued by my Kerb V realm. Do I need to configure the 
client machines on the domain to be aware of the Kerb5 trusted realm?  
Are they aware of it through SRV records?   Or is NTLM auth to the AD 
domain supposed to automagically grab tickets from my trusted kerb5 
realm?  When I log into NTLM I am not seeing any queries in krb5kdc.log =(.

Am I missing some added step in providing cross realm authentication 
that's not mentition in the interoperability guide?

>> What's going on?  Docs?  Thoughts?  Anything at all would be again 
>> greatly appreciated.
>
>
>
> See:
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp 
>
>
>
This particular document is no longer of any use to me as I have 
followed every instruction in it and accomplished everything it is 
capable of guiding me torwards.  I am furthering this question to the 
list because upon completion of mapping names to the kerb 5 principals 
the instructions cut off.  I do not know how i am supposed to expect 
NTLM auth to the domain to work with the trusted realm, or how to verify 
that it is working.  Worse still if it is not working, I have no idea 
what common trouble areas might be.

Any information in regards to this would be very very helpful to a great 
many people I am sure.

Thank you for your response Douglas.  It was of course as always very 
enlightening.

-Matt Joyce