Cross Realm MIT <-> Active Directory
Markus Moeller
huaraz at moeller.plus.com
Sun Nov 5 08:23:11 EST 2006
"Miguel Sanders" <miguelsanders at telenet.be> wrote in message
news:1162725045.392694.47100 at i42g2000cwa.googlegroups.com...
> Hi
> I have been through many documents for several times but I just can't
> seem to find the problem.
> Here is the idea.
> Users are defined in Active Directory (domain/realm WINDOWS.COM)
> Host and service principals are defined in MIT Kerberos (realm
> UNIX.COM).
> Now I want the Windows users to be able to login to the Unix machines(
> and thus the UNIX.COM realm).
> Since users and host/service principals are in separated realms, cross
> realm authentication should be set up, right?
> So the point is that users XYZ (Windows Domain User) should be able to
> logon to the Unix Machines.
> 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
> presume that this is the case (although set with a random password).
You don't need the user in the MIT kdc. You either need a mapping like
auth_to_local = RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
auth_to_local = DEFAULT
as part of the realms UNIX.COM section or use a .k5login file.
> 2) Is something wrong with the given krb5.conf ?
> [libdefaults]
> default_realm = UNIX.COM
> default_keytab_name = FILE:/etc/krb5/krb5.keytab
> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>
> [realms]
> UNIX.COM= {
> kdc = server1.unix.com:88
> admin_server = server1.unix.com:749
> default_domain = unix.com
> }
>
> WINDOWS.COM= {
> kdc = server1.windows.com:88
> admin_server = server1.windows.com:749
> default_domain = unix.com
> }
>
> [domain_realm]
> .windows.com = WINDOWS.COM
> windows.com = WINDOWS.COM
> .unix.com = UNIX.COM
> unix.com = UNIX.COM
>
> [capaths]
> WINDOWS.COM = {
> UNIX.COM = .
> }
>
> UNIX.COM = {
> WINDOWS.COM = .
> }
>
> 3) In kdc.conf I edited the following
> master_key_type = des-cbc-md5
> supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal
You should use rc4-hmac. des is week and shouldn't be used.
>
> 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM at UNIX.COM and
> krbtgt/UNIX.COM at WINDOWS.COM principals with password ABC
>
> 5) In Active Directory I defined the MIT realm and MIT kerberos master
> with ksetup
>>ksetup
> default realm = windows.com (NT Domain)
> UNIX.COM:
> kdc = server1.unix.com
> Realm Flags = 0x0 none
> Mapping XYZ at UNIX.COM to XYZ
The mapping is only needed when you login from Unix to Windows.
>
> 6) In Active Directory I defined the realm trust (one way, incoming)
> with the password ABC
> 7) In Active Directory Users and Computers I created the name mapping
> for user XYZ to XYZ at UNIX.COM (since the mapping set up by ksetup wasn't
> visible here, did this just to be sure)
I don't think you need this.
>
> Now why can't user XYZ at UNIX.COM login successfully with his Windows
> password?
> I am quite desperate on this one. What am I missing?
> Any help would be greatly appreciated.
>
You have to tell the Windows clients where to find the service principals
for the unix.com domain. This will be done with
trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
on Active Directory.
> Kind regards
>
> Miguel
>
Regards
Markus
More information about the Kerberos
mailing list