MIT to Windows 2k interoperability problems

amiliv@gmail.com amiliv at gmail.com
Tue Jun 21 16:50:44 EDT 2005


Hi,

I've got small problem with Kerberos, and couldn't seem to be able to
find solution by simply Googling around...

I changed my Kerberos domain name.  Basically, I just wiped out old
KDC, and reinstalled from scratch (it was testing only, so no real
users on it anyhow).  There was one-way trust between old domain and
another Kerberos domain (part of Windows 2000 Active Directory).

Before the change, I had saslauthd running on Unix side, and it was
able to authenticate users against Active Directory (using Kerberos).
After the change, I did exactly the same steps, but things simply don't
work anymore.  Interesting thing is that I also added slave server, and
if saslauthd is going through the slave, it can successfully
authenticate users on Windows Kerberos domain.  My guess is that
there's some stale information about old domain and associated accounts
on Windows side (created with ktpass.exe) that needs to be wiped out
too.

All I could find on the web is how to initially make things to work.
In short, setup account for Unix host in Active Directory, associate
host Kerberos principal with that account and create key using
ktpass.exe, import the key into /etc/krb5.keytab on Unix side.  But no
info on how to undo it (the part on the Windows side, removing key from
krb5.keytab is trivial), so that I can recreate host principal for my
master KDC in clean way.  As I said, I guess my problems are due to
stale information for the host principal on the Windows side.

I hope somebody could give me a hint or two to get me going into right
direction.



More information about the Kerberos mailing list