MIT to Windows 2k interoperability problems

Douglas E. Engert deengert at anl.gov
Wed Jun 22 16:12:01 EDT 2005 

Google for: cross-realm windows kerberos

Then read:
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

amiliv at gmail.com wrote:

> Hi,
> 
> I've got small problem with Kerberos, and couldn't seem to be able to
> find solution by simply Googling around...
> 
> I changed my Kerberos domain name.  Basically, I just wiped out old
> KDC, and reinstalled from scratch (it was testing only, so no real
> users on it anyhow).  There was one-way trust between old domain and
> another Kerberos domain (part of Windows 2000 Active Directory).
> 
> Before the change, I had saslauthd running on Unix side, and it was
> able to authenticate users against Active Directory (using Kerberos).
> After the change, I did exactly the same steps, but things simply don't
> work anymore.  Interesting thing is that I also added slave server, and
> if saslauthd is going through the slave, it can successfully
> authenticate users on Windows Kerberos domain.  My guess is that
> there's some stale information about old domain and associated accounts
> on Windows side (created with ktpass.exe) that needs to be wiped out
> too.
> 
> All I could find on the web is how to initially make things to work.
> In short, setup account for Unix host in Active Directory, associate
> host Kerberos principal with that account and create key using
> ktpass.exe, import the key into /etc/krb5.keytab on Unix side.  But no
> info on how to undo it (the part on the Windows side, removing key from
> krb5.keytab is trivial), so that I can recreate host principal for my
> master KDC in clean way.  As I said, I guess my problems are due to
> stale information for the host principal on the Windows side.
> 
> I hope somebody could give me a hint or two to get me going into right
> direction.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list