Cross Realm MIT <-> Active Directory

Markus Moeller huaraz at moeller.plus.com
Sun Nov 5 12:54:14 EST 2006 

My krb5.conf file

[libdefaults]
        default_realm = UNIX.COM
        dns_lookup_kdc = no
        dns_lookup_realm = no
        default_keytab_name = /etc/krb5.keytab
        default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc 
des-cbc-md5
        default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc 
des-cbc-md5
        permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
        noaddresses = no
[realms]
        UNIX.COM = {
                kdc = opensuse.unix.com
                admin_server = opensuse.unix.com
                auth_to_local = RULE:[1:$1@$0](.*@WINDOWS.COM$)s/@.*//
                auth_to_local = DEFAULT
        }
        WINDOWS.COM = {
                kdc = w2k3.windows.com
                admin_server = w2k3.windows.com
        }
[domain_realm]
         .unix.com = UNIX.COM
         unix.com = UNIX.COM
         .windows.com = WINDOWS.COM
         windows.com = WINDOWS.COM

[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5lib.log

Regards
Markus


"Miguel Sanders" <miguelsanders at telenet.be> wrote in message 
news:1162744296.180067.98070 at m73g2000cwd.googlegroups.com...
> Thanks a lot Markus
>
> Could you paste your krb5.conf aswell?
>
> Kind regards
>
> Miguel
> Markus Moeller wrote:
>> "Miguel Sanders" <miguelsanders at telenet.be> wrote in message
>> news:1162737224.386797.216750 at e3g2000cwe.googlegroups.com...
>> > 1) You should use rc4-hmac. des is week and shouldn't be used.
>> >
>> > Can that be used in combination with Active Directory? Which stanza's/
>> > configuration items should be used in kdc.conf and krb5.conf?
>>
>>
>> My kdc.conf looks like:
>>
>> [kdcdefaults]
>>         kdc_ports = 750,88
>> [realms]
>>         UNIX.COM = {
>>                 database_name = /var/lib/kerberos/krb5kdc/principal
>>                 admin_keytab = 
>> FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
>>                 acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
>>                 key_stash_file = /var/lib/kerberos/krb5kdc/.k5.UNIX.COM
>>                 kdc_ports = 750,88
>>                 supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
>> des-cbc-crc:normal des-cbc-md5:normal
>>                 kdc_supported_enctypes = rc4-hmac:normal
>> des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
>>                 max_life = 10h 0m 0s
>>                 max_renewable_life = 7d 0h 0m 0s
>>         }
>> [logging]
>>     kdc = FILE:/var/log/kdc.log
>>     admin_server = FILE:/var/log/kadmin.log
>>
>>
>> >
>> > 2) Now why can't user XYZ at UNIX.COM login successfully with his Windows
>> > password?
>> >
>> > I meant on the Unix box, not on the Windows box, so sorry on that.
>> >
>>
>> I think here is some misunderstanding. I think you want that your Windows
>> user xyz can login to your Unix machine. Now you have to differentiate 
>> two
>> cases.
>>
>> 1) Use Kerberos credentials to login
>>      If you use your Windows credentials (XYZ at WINDOWS.COM) the Unix 
>> server
>> will try to match the credentials XYZ at WINDOWS.COM with a unix user xyz 
>> and
>> the default domain defined in krb5.conf (in your case UNIX.COM), which is
>> XYZ at UNIX.COM and fails. This can only be avoided by using a mapping 
>> either
>> in krb5.conf via auth_to_local or a .k5login file in the user xyz's home
>> directory.
>>
>> 2) Use a password.
>>
>> This usually doesn't work. The reason is that most applications don't 
>> allow
>> to use XYZ at WINDOWS.COM as a username and if you use xyz the default 
>> domain
>> UNIX.COM will be used again.
>>
>>
>> >
>> > Markus Moeller wrote:
>> >> "Miguel Sanders" <miguelsanders at telenet.be> wrote in message
>> >> news:1162725045.392694.47100 at i42g2000cwa.googlegroups.com...
>> >> > Hi
>> >> > I have been through many documents for several times but I just 
>> >> > can't
>> >> > seem to find the problem.
>> >> > Here is the idea.
>> >> > Users are defined in Active Directory (domain/realm WINDOWS.COM)
>> >> > Host and service principals are defined in MIT Kerberos (realm
>> >> > UNIX.COM).
>> >> > Now I want the Windows users to be able to login to the Unix 
>> >> > machines(
>> >> > and thus the UNIX.COM realm).
>> >> > Since users and host/service principals are in separated realms, 
>> >> > cross
>> >> > realm authentication should be set up, right?
>> >> > So the point is that users XYZ (Windows Domain User) should be able 
>> >> > to
>> >> > logon to the Unix Machines.
>> >> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
>> >> > presume that this is the case (although set with a random password).
>> >>
>> >> You don't need the user in the MIT kdc. You either need a mapping like
>> >>                 auth_to_local = 
>> >> RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
>> >>                 auth_to_local = DEFAULT
>> >> as part of the realms UNIX.COM section or use a .k5login file.
>> >>
>> >> > 2) Is something wrong with the given krb5.conf ?
>> >> > [libdefaults]
>> >> >        default_realm = UNIX.COM
>> >> >        default_keytab_name = FILE:/etc/krb5/krb5.keytab
>> >> >        default_tkt_enctypes = des-cbc-md5 des-cbc-crc
>> >> >        default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>> >> >
>> >> > [realms]
>> >> >        UNIX.COM= {
>> >> >                kdc = server1.unix.com:88
>> >> >                admin_server = server1.unix.com:749
>> >> >                default_domain = unix.com
>> >> >        }
>> >> >
>> >> >       WINDOWS.COM= {
>> >> >                kdc = server1.windows.com:88
>> >> >                admin_server = server1.windows.com:749
>> >> >                default_domain = unix.com
>> >> >        }
>> >> >
>> >> > [domain_realm]
>> >> >        .windows.com = WINDOWS.COM
>> >> >        windows.com = WINDOWS.COM
>> >> >        .unix.com = UNIX.COM
>> >> >        unix.com = UNIX.COM
>> >> >
>> >> > [capaths]
>> >> >        WINDOWS.COM = {
>> >> >                UNIX.COM = .
>> >> >        }
>> >> >
>> >> >        UNIX.COM = {
>> >> >                WINDOWS.COM = .
>> >> >        }
>> >> >
>> >> > 3) In kdc.conf I edited the following
>> >> > master_key_type = des-cbc-md5
>> >> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal
>> >>
>> >>
>> >>
>> >> >
>> >> > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM at UNIX.COM and
>> >> > krbtgt/UNIX.COM at WINDOWS.COM principals with password ABC
>> >> >
>> >> > 5) In Active Directory I defined the MIT realm and MIT kerberos 
>> >> > master
>> >> > with ksetup
>> >> >>ksetup
>> >> > default realm = windows.com (NT Domain)
>> >> > UNIX.COM:
>> >> >        kdc = server1.unix.com
>> >> >        Realm Flags = 0x0 none
>> >> > Mapping XYZ at UNIX.COM to XYZ
>> >>
>> >> The mapping is only needed when you login from Unix to Windows.
>> >>
>> >> >
>> >> > 6) In Active Directory I defined the realm trust (one way, incoming)
>> >> > with the password ABC
>> >> > 7) In Active Directory Users and Computers I created the name 
>> >> > mapping
>> >> > for user XYZ to XYZ at UNIX.COM (since the mapping set up by ksetup 
>> >> > wasn't
>> >> > visible here, did this just to be sure)
>> >>
>> >> I don't think you need this.
>> >>
>> >> >
>> >> > Now why can't user XYZ at UNIX.COM login successfully with his Windows
>> >> > password?
>> >> > I am quite desperate on this one. What am I missing?
>> >> > Any help would be greatly appreciated.
>> >> >
>> >>
>> >> You have to tell the Windows clients where to find the service 
>> >> principals
>> >> for the unix.com domain. This will be done with
>> >> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
>> >> on Active Directory.
>> >>
>> >> > Kind regards
>> >> >
>> >> > Miguel
>> >> >
>> >>
>> >> Regards
>> >> Markus
>> >
>>
>> Regards
>> Markus
>

More information about the Kerberos mailing list