Cross Realm MIT <-> Active Directory

Miguel Sanders miguelsanders at telenet.be
Sun Nov 5 06:10:45 EST 2006 

Hi
I have been through many documents for several times but I just can't
seem to find the problem.
Here is the idea.
Users are defined in Active Directory (domain/realm WINDOWS.COM)
Host and service principals are defined in MIT Kerberos (realm
UNIX.COM).
Now I want the Windows users to be able to login to the Unix machines(
and thus the UNIX.COM realm).
Since users and host/service principals are in separated realms, cross
realm authentication should be set up, right?
So the point is that users XYZ (Windows Domain User) should be able to
logon to the Unix Machines.
1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
presume that this is the case (although set with a random password).
2) Is something wrong with the given krb5.conf ?
[libdefaults]
        default_realm = UNIX.COM
        default_keytab_name = FILE:/etc/krb5/krb5.keytab
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]
        UNIX.COM= {
                kdc = server1.unix.com:88
                admin_server = server1.unix.com:749
                default_domain = unix.com
        }

       WINDOWS.COM= {
                kdc = server1.windows.com:88
                admin_server = server1.windows.com:749
                default_domain = unix.com
        }

[domain_realm]
        .windows.com = WINDOWS.COM
        windows.com = WINDOWS.COM
        .unix.com = UNIX.COM
        unix.com = UNIX.COM

[capaths]
        WINDOWS.COM = {
                UNIX.COM = .
        }

        UNIX.COM = {
                WINDOWS.COM = .
        }

3) In kdc.conf I edited the following
master_key_type = des-cbc-md5
supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal

4) In MIT Kerberos I defined krbtgt/WINDOWS.COM at UNIX.COM and
krbtgt/UNIX.COM at WINDOWS.COM principals with password ABC

5) In Active Directory I defined the MIT realm and MIT kerberos master
with ksetup
>ksetup
default realm = windows.com (NT Domain)
UNIX.COM:
        kdc = server1.unix.com
        Realm Flags = 0x0 none
Mapping XYZ at UNIX.COM to XYZ

6) In Active Directory I defined the realm trust (one way, incoming)
with the password ABC
7) In Active Directory Users and Computers I created the name mapping
for user XYZ to XYZ at UNIX.COM (since the mapping set up by ksetup wasn't
visible here, did this just to be sure)

Now why can't user XYZ at UNIX.COM login successfully with his Windows
password?
I am quite desperate on this one. What am I missing?
Any help would be greatly appreciated.

Kind regards

Miguel

More information about the Kerberos mailing list