Please Advise, Need Win2003 host to read keytab generated by Win2003 KDC.

Mike Pal mpal7 at rogers.com
Thu Mar 31 15:35:19 EST 2005 

Hi,
 
Please note these steps were performed during and after consulting MIT/Linux/Microsoft and Google Web documentation  Domain.Com is the mother domain, QANAMEMAP.COM is a new Tree/Forest.   


There are 3 Win2003 PC's in Domain Environment:
1 Active Directory/KDC/VAS LDAP Server (Win2003)   (\\qanfsmap)
1 NFS Client VAS LDAP Client(Win2003)  (\\mpal0012)
1 NFS Server VAS LDAP Client (Win2003) (\\aqian2)
  
Environment:
---------------------
Win2003AD KDC
hostrname=qanfsmap.qanamemap.com 
-domain=QANAMEMAP.COM, static ip/gateway/netmask
-Microsoft DNS Enabled, with Forwarding (zones) 
(all Microsoft machines resolve when you ping them), whether hostname or domain
-Microsoft NTP Server Enabled as Server
-created user nfs and "computer aqian2" as a user. (can't change password, password never expires.)
-Installed Microsoft Support Tools to access ktpass.exe (Win2003 cd)
-Installed Microsoft Windows 2003 Resource Kit for ksetup.exe utils
-Vintella LDAP properly configued (VAS)
-LDAP Schema Extended
 
 
Win2003 Host 
hostname=aqian2.qanamemap.com
-Added to QANAMEMAP.COM, pointed DNS Server Address to Win2003 AD
-Configured LDAP (VAS)
-Enabled to export NFS filesystems via Kerberos (NFS Server configuration)
-Installed MIT Kerberos Client 2.65 (MIT Website)
-Can get tickets, 
-Microsoft NTP Client enabled pointing to Win2003 AD
 
MIT Kerberos retrieves 6 Kerberos 5 tickets,  
 
ran 
ktpass.exe -princ nfs/AQIAN2.QANAMEMAP.COM -user nfs -pass Feeble1090 /mapuser nfs
Copied krb5kt to local %windir%, reboot machine, 
 
on Win2003 AD (KDC)
ksetup /addkdc QANAMEMAP.COM qanfsmap.QANAMEMAP.COM
ksetup /mapuser nfs nfs
 
Win2003 host can still get tickets, but keytab file is still not being noticed
 
Created few keytab files using /CRYPTO DES-CBC-CRC, DES-CBC-MD5, and /ptype (All 3 of them)
separately, none of the keytan files work.
 
 
1. Did I seem to forget anything?
 
2.
    a.According to Microsoft, the KDC should trust the host in the Realm, I didn't add the trust, should I?
 
3. Is there a way to add more entries to a keytab file?  ktpass adds only one line
    Verify this by using ktutil on the Unix side , ktutil, rkt krb5kt, l.
    Unix has ktadd, which allows admin to ebter more principals into keytab, 
 
    a.What can I use for Microsoft?
 
4. Win2003 host Winlogon:
    user: nfs
    pass: Feeble1090
    Domain: QANAMEMAP , when I log into the domain, MIT Kerberos retrieves my tickets automatically
 
    a. If I destroy and try to recreate the tickets, KDC server cannot be found.....
        Is this because my Kinit was pre-authrorized?


5. ksetup /setmachpasswd password was also run before and keytab generated, then reboot KDC , keytab file still not being read.


Michael

More information about the Kerberos mailing list