Login to XP workstation in WIndows Server 2003 2k3 AD domain
Jeffrey Altman
jaltman2 at nyc.rr.com
Sat Jan 15 09:57:06 EST 2005
Thomas Schweizer wrote:
> Note: this setup will only allow Kerberos authentication, no NTLM will
> be available (under some circumstances Windows will transparantly fall
> back to NTLM, e.g. if you want to access the shares of computer using a
> plain IP-address such as \\192.168.10.12\share_name).
> The current Samba 3.x branch doesn't support cross-realm trusts with
> non-Windows realms, AFAIK.
> Your KDC should be allowed to issue DES keys because I think for
> cross-realm trusts between AD and MIT krb5 these have to be DES ones.
Windows 2003 SP1 will support RC4-HMAC for cross-realm trusts.
You need to use the 2003 SP1 Support Tools version of ktpass.exe
in order to generate keytabs with RC4-HMAC keys.
Something very important to note. If you turn on or off the "use
DES only" key or change the SPN associations for an account, you
must remember to perform a "reset password" operation on the account
in order for the changes to work correctly.
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
More information about the Kerberos
mailing list