Login to XP workstation in WIndows Server 2003 2k3 AD domain
Douglas E. Engert
deengert at anl.gov
Mon Jan 17 13:52:25 EST 2005
Is this a side effect of the salt contining the old principal name,
and AD storing a password? Can one tell ids the salt is correct
by looking the suggested salt in a error response to a AS_REQ?
Jeffrey Altman wrote:
> Thomas Schweizer wrote:
>
>>Note: this setup will only allow Kerberos authentication, no NTLM will
>>be available (under some circumstances Windows will transparantly fall
>>back to NTLM, e.g. if you want to access the shares of computer using a
>>plain IP-address such as \\192.168.10.12\share_name).
>>The current Samba 3.x branch doesn't support cross-realm trusts with
>>non-Windows realms, AFAIK.
>>Your KDC should be allowed to issue DES keys because I think for
>>cross-realm trusts between AD and MIT krb5 these have to be DES ones.
>
>
> Windows 2003 SP1 will support RC4-HMAC for cross-realm trusts.
> You need to use the 2003 SP1 Support Tools version of ktpass.exe
> in order to generate keytabs with RC4-HMAC keys.
>
> Something very important to note. If you turn on or off the "use
> DES only" key or change the SPN associations for an account, you
> must remember to perform a "reset password" operation on the account
> in order for the changes to work correctly.
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list