MIT to Windows 2k interoperability problems
Douglas E. Engert
deengert at anl.gov
Wed Jun 22 16:12:01 EDT 2005
Google for: cross-realm windows kerberos
Then read:
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
amiliv at gmail.com wrote:
> Hi,
>
> I've got small problem with Kerberos, and couldn't seem to be able to
> find solution by simply Googling around...
>
> I changed my Kerberos domain name. Basically, I just wiped out old
> KDC, and reinstalled from scratch (it was testing only, so no real
> users on it anyhow). There was one-way trust between old domain and
> another Kerberos domain (part of Windows 2000 Active Directory).
>
> Before the change, I had saslauthd running on Unix side, and it was
> able to authenticate users against Active Directory (using Kerberos).
> After the change, I did exactly the same steps, but things simply don't
> work anymore. Interesting thing is that I also added slave server, and
> if saslauthd is going through the slave, it can successfully
> authenticate users on Windows Kerberos domain. My guess is that
> there's some stale information about old domain and associated accounts
> on Windows side (created with ktpass.exe) that needs to be wiped out
> too.
>
> All I could find on the web is how to initially make things to work.
> In short, setup account for Unix host in Active Directory, associate
> host Kerberos principal with that account and create key using
> ktpass.exe, import the key into /etc/krb5.keytab on Unix side. But no
> info on how to undo it (the part on the Windows side, removing key from
> krb5.keytab is trivial), so that I can recreate host principal for my
> master KDC in clean way. As I said, I guess my problems are due to
> stale information for the host principal on the Windows side.
>
> I hope somebody could give me a hint or two to get me going into right
> direction.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list