MIT to Windows 2k interoperability problems

Jeffrey C Albro jalbro at bu.edu
Wed Jun 22 17:13:50 EDT 2005


That is a very good document, but needs to be read REALLY carefully...

I'll add some hints:

To check that you cleaned things up correctly, you can use adsiedit.msc on
the windows side to make sure you don't have duplicate
serviceprincipalnames.

ktpass requires a new, made up password (most MS documementation doesn't 
make this clear).

Also, ktpass documents suggest you can create a serviceprincipalname
WITHOUT mapping to a user (no -mapuser)  I have no idea what that 
means.

-Jeff


-----------------------------------------------------------
Jeffrey Albro | Systems Administrator | Boston University
   - Department of Electrical and Computer Engineering -
jalbro at bu.edu |  Photonics, Room 305  | 617-358-2785
-----------------------------------------------------------



On Wed, 22 Jun 2005, Douglas E. Engert wrote:

> Google for: cross-realm windows kerberos
> 
> Then read:
> http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
> 
> amiliv at gmail.com wrote:
> 
> > Hi,
> > 
> > I've got small problem with Kerberos, and couldn't seem to be able to
> > find solution by simply Googling around...
> > 
> > I changed my Kerberos domain name.  Basically, I just wiped out old
> > KDC, and reinstalled from scratch (it was testing only, so no real
> > users on it anyhow).  There was one-way trust between old domain and
> > another Kerberos domain (part of Windows 2000 Active Directory).
> > 
> > Before the change, I had saslauthd running on Unix side, and it was
> > able to authenticate users against Active Directory (using Kerberos).
> > After the change, I did exactly the same steps, but things simply don't
> > work anymore.  Interesting thing is that I also added slave server, and
> > if saslauthd is going through the slave, it can successfully
> > authenticate users on Windows Kerberos domain.  My guess is that
> > there's some stale information about old domain and associated accounts
> > on Windows side (created with ktpass.exe) that needs to be wiped out
> > too.
> > 
> > All I could find on the web is how to initially make things to work.
> > In short, setup account for Unix host in Active Directory, associate
> > host Kerberos principal with that account and create key using
> > ktpass.exe, import the key into /etc/krb5.keytab on Unix side.  But no
> > info on how to undo it (the part on the Windows side, removing key from
> > krb5.keytab is trivial), so that I can recreate host principal for my
> > master KDC in clean way.  As I said, I guess my problems are due to
> > stale information for the host principal on the Windows side.
> > 
> > I hope somebody could give me a hint or two to get me going into right
> > direction.
> > 
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> > 
> > 
> 
> -- 
> 
>   Douglas E. Engert  <DEEngert at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


More information about the Kerberos mailing list