Windows client authentication problem
Viji V Nair
vijivijayakumar at gmail.com
Tue Dec 30 12:30:58 EST 2008
Hi,
I am trying to authenticate windows xp clients to an MIT kerberos server.
The Server is on a Linux machine and I have both windows and Linux clients
on my network. I have followed the below steps, but no success.
Configured the kerberos server and Linux clients are authenticating
properly, but no success on windows clients. On the kerberos Server I have
created a host principal using the following command.
# kadmin -q "ank host/bmdata01.testing.com" (I tried kadmin -q "ank
host/bmdata01" also)
On the windows xp client(bmdata01),
C:> ksetup /setrealm TESTING.COM
C:> ksetup /addkdc TESTING.COM viji.bigmaps.com
C:> ksetup /setmachpassword <password>
C:> ksetup /mapuser admin at TESTING.COM guest
C:> ksetup /mapuser * *
After the reboot windows is showing TESTING.COM as a Kerberos Realm on the
login screen, but when I try to login using a kerberos user it is throwing
the following error.
*"The system could not log you on. Make sure your user name and domain are
correct, and then type your password again. Letters in passwords must be
typed using the correct case."*
But the kerberos server is issuing the tickets, the log shows:
Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): AS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 172.16.33.112: NEEDED_PREAUTH: admin at TESTING.COM for
krbtgt/TESTING.COM at TESTING.COM, Additional pre-authentication required
Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): AS_REQ (3 etypes {23 3
1}) 172.16.33.112: ISSUE: authtime 1230656763, etypes {rep=23 tkt=18
ses=23}, admin at TESTING.COM for krbtgt/TESTING.COM at TESTING.COM
Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): TGS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 172.16.33.112: ISSUE: authtime 1230656763, etypes
{rep=23 tkt=18 ses=23}, admin at TESTING.COM for host/bmdata01.testing.com@
TESTING.COM
I have found some article on Microsoft website, saying this is a bug and
apply the latest service pack (SP3), I even tried that, but no success.
http://support.microsoft.com/kb/825081
Similar Thread:
http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html
c:> ksetup.exe
default realm = TESTING.COM (external)
TESTING.COM:
kdc = viji.testing.com
Realm Flags = 0x0 none
Mapping all users (*) to guest.
Mapping admin to guest.
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = TESTING.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
TESTING.COM = {
kdc = viji.testing.com:88
admin_server = viji.testing.com:749
default_domain = testing.com
}
[domain_realm]
.testing.com = TESTING.COM
testing.com = TESTING.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
[dbmodules]
TESTING.COM = {
db_library = kldap
ldap_servers = ldap://127.0.0.1/
ldap_kerberos_container_dn = cn=kerberos,dc=testing,dc=com
ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=testing,dc=com
ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=testing,dc=com
ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
}
Any help on this will be greatly appreciated.
Thanks & Regards
Viji
More information about the Kerberos
mailing list