Cross Realm MIT <-> Active Directory
Markus Moeller
huaraz at moeller.plus.com
Sun Nov 5 12:54:14 EST 2006
My krb5.conf file
[libdefaults]
default_realm = UNIX.COM
dns_lookup_kdc = no
dns_lookup_realm = no
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
des-cbc-md5
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc
des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
noaddresses = no
[realms]
UNIX.COM = {
kdc = opensuse.unix.com
admin_server = opensuse.unix.com
auth_to_local = RULE:[1:$1@$0](.*@WINDOWS.COM$)s/@.*//
auth_to_local = DEFAULT
}
WINDOWS.COM = {
kdc = w2k3.windows.com
admin_server = w2k3.windows.com
}
[domain_realm]
.unix.com = UNIX.COM
unix.com = UNIX.COM
.windows.com = WINDOWS.COM
windows.com = WINDOWS.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
Regards
Markus
"Miguel Sanders" <miguelsanders at telenet.be> wrote in message
news:1162744296.180067.98070 at m73g2000cwd.googlegroups.com...
> Thanks a lot Markus
>
> Could you paste your krb5.conf aswell?
>
> Kind regards
>
> Miguel
> Markus Moeller wrote:
>> "Miguel Sanders" <miguelsanders at telenet.be> wrote in message
>> news:1162737224.386797.216750 at e3g2000cwe.googlegroups.com...
>> > 1) You should use rc4-hmac. des is week and shouldn't be used.
>> >
>> > Can that be used in combination with Active Directory? Which stanza's/
>> > configuration items should be used in kdc.conf and krb5.conf?
>>
>>
>> My kdc.conf looks like:
>>
>> [kdcdefaults]
>> kdc_ports = 750,88
>> [realms]
>> UNIX.COM = {
>> database_name = /var/lib/kerberos/krb5kdc/principal
>> admin_keytab =
>> FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
>> acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
>> key_stash_file = /var/lib/kerberos/krb5kdc/.k5.UNIX.COM
>> kdc_ports = 750,88
>> supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
>> des-cbc-crc:normal des-cbc-md5:normal
>> kdc_supported_enctypes = rc4-hmac:normal
>> des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
>> max_life = 10h 0m 0s
>> max_renewable_life = 7d 0h 0m 0s
>> }
>> [logging]
>> kdc = FILE:/var/log/kdc.log
>> admin_server = FILE:/var/log/kadmin.log
>>
>>
>> >
>> > 2) Now why can't user XYZ at UNIX.COM login successfully with his Windows
>> > password?
>> >
>> > I meant on the Unix box, not on the Windows box, so sorry on that.
>> >
>>
>> I think here is some misunderstanding. I think you want that your Windows
>> user xyz can login to your Unix machine. Now you have to differentiate
>> two
>> cases.
>>
>> 1) Use Kerberos credentials to login
>> If you use your Windows credentials (XYZ at WINDOWS.COM) the Unix
>> server
>> will try to match the credentials XYZ at WINDOWS.COM with a unix user xyz
>> and
>> the default domain defined in krb5.conf (in your case UNIX.COM), which is
>> XYZ at UNIX.COM and fails. This can only be avoided by using a mapping
>> either
>> in krb5.conf via auth_to_local or a .k5login file in the user xyz's home
>> directory.
>>
>> 2) Use a password.
>>
>> This usually doesn't work. The reason is that most applications don't
>> allow
>> to use XYZ at WINDOWS.COM as a username and if you use xyz the default
>> domain
>> UNIX.COM will be used again.
>>
>>
>> >
>> > Markus Moeller wrote:
>> >> "Miguel Sanders" <miguelsanders at telenet.be> wrote in message
>> >> news:1162725045.392694.47100 at i42g2000cwa.googlegroups.com...
>> >> > Hi
>> >> > I have been through many documents for several times but I just
>> >> > can't
>> >> > seem to find the problem.
>> >> > Here is the idea.
>> >> > Users are defined in Active Directory (domain/realm WINDOWS.COM)
>> >> > Host and service principals are defined in MIT Kerberos (realm
>> >> > UNIX.COM).
>> >> > Now I want the Windows users to be able to login to the Unix
>> >> > machines(
>> >> > and thus the UNIX.COM realm).
>> >> > Since users and host/service principals are in separated realms,
>> >> > cross
>> >> > realm authentication should be set up, right?
>> >> > So the point is that users XYZ (Windows Domain User) should be able
>> >> > to
>> >> > logon to the Unix Machines.
>> >> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
>> >> > presume that this is the case (although set with a random password).
>> >>
>> >> You don't need the user in the MIT kdc. You either need a mapping like
>> >> auth_to_local =
>> >> RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
>> >> auth_to_local = DEFAULT
>> >> as part of the realms UNIX.COM section or use a .k5login file.
>> >>
>> >> > 2) Is something wrong with the given krb5.conf ?
>> >> > [libdefaults]
>> >> > default_realm = UNIX.COM
>> >> > default_keytab_name = FILE:/etc/krb5/krb5.keytab
>> >> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
>> >> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>> >> >
>> >> > [realms]
>> >> > UNIX.COM= {
>> >> > kdc = server1.unix.com:88
>> >> > admin_server = server1.unix.com:749
>> >> > default_domain = unix.com
>> >> > }
>> >> >
>> >> > WINDOWS.COM= {
>> >> > kdc = server1.windows.com:88
>> >> > admin_server = server1.windows.com:749
>> >> > default_domain = unix.com
>> >> > }
>> >> >
>> >> > [domain_realm]
>> >> > .windows.com = WINDOWS.COM
>> >> > windows.com = WINDOWS.COM
>> >> > .unix.com = UNIX.COM
>> >> > unix.com = UNIX.COM
>> >> >
>> >> > [capaths]
>> >> > WINDOWS.COM = {
>> >> > UNIX.COM = .
>> >> > }
>> >> >
>> >> > UNIX.COM = {
>> >> > WINDOWS.COM = .
>> >> > }
>> >> >
>> >> > 3) In kdc.conf I edited the following
>> >> > master_key_type = des-cbc-md5
>> >> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal
>> >>
>> >>
>> >>
>> >> >
>> >> > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM at UNIX.COM and
>> >> > krbtgt/UNIX.COM at WINDOWS.COM principals with password ABC
>> >> >
>> >> > 5) In Active Directory I defined the MIT realm and MIT kerberos
>> >> > master
>> >> > with ksetup
>> >> >>ksetup
>> >> > default realm = windows.com (NT Domain)
>> >> > UNIX.COM:
>> >> > kdc = server1.unix.com
>> >> > Realm Flags = 0x0 none
>> >> > Mapping XYZ at UNIX.COM to XYZ
>> >>
>> >> The mapping is only needed when you login from Unix to Windows.
>> >>
>> >> >
>> >> > 6) In Active Directory I defined the realm trust (one way, incoming)
>> >> > with the password ABC
>> >> > 7) In Active Directory Users and Computers I created the name
>> >> > mapping
>> >> > for user XYZ to XYZ at UNIX.COM (since the mapping set up by ksetup
>> >> > wasn't
>> >> > visible here, did this just to be sure)
>> >>
>> >> I don't think you need this.
>> >>
>> >> >
>> >> > Now why can't user XYZ at UNIX.COM login successfully with his Windows
>> >> > password?
>> >> > I am quite desperate on this one. What am I missing?
>> >> > Any help would be greatly appreciated.
>> >> >
>> >>
>> >> You have to tell the Windows clients where to find the service
>> >> principals
>> >> for the unix.com domain. This will be done with
>> >> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
>> >> on Active Directory.
>> >>
>> >> > Kind regards
>> >> >
>> >> > Miguel
>> >> >
>> >>
>> >> Regards
>> >> Markus
>> >
>>
>> Regards
>> Markus
>
More information about the Kerberos
mailing list