Cross Realm MIT <-> Active Directory
Miguel Sanders
miguelsanders at telenet.be
Sun Nov 5 11:31:36 EST 2006
Thanks a lot Markus
Could you paste your krb5.conf aswell?
Kind regards
Miguel
Markus Moeller wrote:
> "Miguel Sanders" <miguelsanders at telenet.be> wrote in message
> news:1162737224.386797.216750 at e3g2000cwe.googlegroups.com...
> > 1) You should use rc4-hmac. des is week and shouldn't be used.
> >
> > Can that be used in combination with Active Directory? Which stanza's/
> > configuration items should be used in kdc.conf and krb5.conf?
>
>
> My kdc.conf looks like:
>
> [kdcdefaults]
> kdc_ports = 750,88
> [realms]
> UNIX.COM = {
> database_name = /var/lib/kerberos/krb5kdc/principal
> admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
> acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
> key_stash_file = /var/lib/kerberos/krb5kdc/.k5.UNIX.COM
> kdc_ports = 750,88
> supported_enctypes = rc4-hmac:normal des3-cbc-sha1:normal
> des-cbc-crc:normal des-cbc-md5:normal
> kdc_supported_enctypes = rc4-hmac:normal
> des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> }
> [logging]
> kdc = FILE:/var/log/kdc.log
> admin_server = FILE:/var/log/kadmin.log
>
>
> >
> > 2) Now why can't user XYZ at UNIX.COM login successfully with his Windows
> > password?
> >
> > I meant on the Unix box, not on the Windows box, so sorry on that.
> >
>
> I think here is some misunderstanding. I think you want that your Windows
> user xyz can login to your Unix machine. Now you have to differentiate two
> cases.
>
> 1) Use Kerberos credentials to login
> If you use your Windows credentials (XYZ at WINDOWS.COM) the Unix server
> will try to match the credentials XYZ at WINDOWS.COM with a unix user xyz and
> the default domain defined in krb5.conf (in your case UNIX.COM), which is
> XYZ at UNIX.COM and fails. This can only be avoided by using a mapping either
> in krb5.conf via auth_to_local or a .k5login file in the user xyz's home
> directory.
>
> 2) Use a password.
>
> This usually doesn't work. The reason is that most applications don't allow
> to use XYZ at WINDOWS.COM as a username and if you use xyz the default domain
> UNIX.COM will be used again.
>
>
> >
> > Markus Moeller wrote:
> >> "Miguel Sanders" <miguelsanders at telenet.be> wrote in message
> >> news:1162725045.392694.47100 at i42g2000cwa.googlegroups.com...
> >> > Hi
> >> > I have been through many documents for several times but I just can't
> >> > seem to find the problem.
> >> > Here is the idea.
> >> > Users are defined in Active Directory (domain/realm WINDOWS.COM)
> >> > Host and service principals are defined in MIT Kerberos (realm
> >> > UNIX.COM).
> >> > Now I want the Windows users to be able to login to the Unix machines(
> >> > and thus the UNIX.COM realm).
> >> > Since users and host/service principals are in separated realms, cross
> >> > realm authentication should be set up, right?
> >> > So the point is that users XYZ (Windows Domain User) should be able to
> >> > logon to the Unix Machines.
> >> > 1) Does the Windows user XYZ need to be defined in MIT Kerberos? I
> >> > presume that this is the case (although set with a random password).
> >>
> >> You don't need the user in the MIT kdc. You either need a mapping like
> >> auth_to_local = RULE:[1:$1@$0](.*@.WINDOWS.COM$)s/@.*//
> >> auth_to_local = DEFAULT
> >> as part of the realms UNIX.COM section or use a .k5login file.
> >>
> >> > 2) Is something wrong with the given krb5.conf ?
> >> > [libdefaults]
> >> > default_realm = UNIX.COM
> >> > default_keytab_name = FILE:/etc/krb5/krb5.keytab
> >> > default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> >> > default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> >> >
> >> > [realms]
> >> > UNIX.COM= {
> >> > kdc = server1.unix.com:88
> >> > admin_server = server1.unix.com:749
> >> > default_domain = unix.com
> >> > }
> >> >
> >> > WINDOWS.COM= {
> >> > kdc = server1.windows.com:88
> >> > admin_server = server1.windows.com:749
> >> > default_domain = unix.com
> >> > }
> >> >
> >> > [domain_realm]
> >> > .windows.com = WINDOWS.COM
> >> > windows.com = WINDOWS.COM
> >> > .unix.com = UNIX.COM
> >> > unix.com = UNIX.COM
> >> >
> >> > [capaths]
> >> > WINDOWS.COM = {
> >> > UNIX.COM = .
> >> > }
> >> >
> >> > UNIX.COM = {
> >> > WINDOWS.COM = .
> >> > }
> >> >
> >> > 3) In kdc.conf I edited the following
> >> > master_key_type = des-cbc-md5
> >> > supported_enctypes = des-cbc-md5:normal des-cbc-crc:normal
> >>
> >>
> >>
> >> >
> >> > 4) In MIT Kerberos I defined krbtgt/WINDOWS.COM at UNIX.COM and
> >> > krbtgt/UNIX.COM at WINDOWS.COM principals with password ABC
> >> >
> >> > 5) In Active Directory I defined the MIT realm and MIT kerberos master
> >> > with ksetup
> >> >>ksetup
> >> > default realm = windows.com (NT Domain)
> >> > UNIX.COM:
> >> > kdc = server1.unix.com
> >> > Realm Flags = 0x0 none
> >> > Mapping XYZ at UNIX.COM to XYZ
> >>
> >> The mapping is only needed when you login from Unix to Windows.
> >>
> >> >
> >> > 6) In Active Directory I defined the realm trust (one way, incoming)
> >> > with the password ABC
> >> > 7) In Active Directory Users and Computers I created the name mapping
> >> > for user XYZ to XYZ at UNIX.COM (since the mapping set up by ksetup wasn't
> >> > visible here, did this just to be sure)
> >>
> >> I don't think you need this.
> >>
> >> >
> >> > Now why can't user XYZ at UNIX.COM login successfully with his Windows
> >> > password?
> >> > I am quite desperate on this one. What am I missing?
> >> > Any help would be greatly appreciated.
> >> >
> >>
> >> You have to tell the Windows clients where to find the service principals
> >> for the unix.com domain. This will be done with
> >> trust WINDOWS.COM/ domain:UNIX.COM /addtln:unix.com
> >> on Active Directory.
> >>
> >> > Kind regards
> >> >
> >> > Miguel
> >> >
> >>
> >> Regards
> >> Markus
> >
>
> Regards
> Markus
More information about the Kerberos
mailing list