remote printing/drive mapping to windows ad with mit kerberos

[David Botsch]

Hi. We have successfully set up cross realm login to our windows active domain
where a user logs in as user at MIT.KERBEROS.REALM ... this works fine if the user
is logging onto the console of a Windows machine in the domain.

However, if a user has his own machine, not in the windows active directory
domain, things do not work. So, the scenario is this:

a user needs to map a windows printer share or a drive share, authenticating as
user at MIT.KERBEROS.REALM -- any thoughts on how to make this work?

>From what we can tell, the windows client (we have been testing with XP SP2)
requests the krbtgt at MIT.KERB.REALM@MIT.KERB.REALM, and then either:
1. does a second AS request for this same tgt or
2. does a TGS request for cifs/windows-2003-server-fqdn at MIT.KERB.REALM 

in the case of 1, after the two successful AS requests, nothing else happens
in the case of 2, this fails, of course, because the principal does not exist
in the MIT kerberos db. Ok, so adding this princiapl to the MIT kerberos db is
easy enough. But, there seems to be no documentation on how to then add this
same principal to Windows with the same kvno/password.

But, as I said, sometimes 1 happens, and sometimes 2 happens. 

I was expecting this to work the same, of course, as machines in the domain.
That is, obtain krbtgt/MITREALM at MITREALM, use this to do a TGS req for
krbtgt/WIN.AD.REALM at MITREALM, and then present this.

Any thoughts here?

Thanks!



-- 
********************************
David William Botsch
Consultant/Advisor II
CCMR Computing Facility
dwb7 at ccmr.cornell.edu
********************************