Using MIT KDC on Linux with Windows Login without AD using local group Guests

Douglas E. Engert deengert at anl.gov
Fri Apr 9 10:38:14 EDT 2010 

Tom Medhurst wrote:
> Hi There,
> I apologise in advance for the following rant, but I believe there are
> issues that need addressing...
> 
> I am completely unable to get Windows clients authenticating against
> Kerberos 5 server. I truly appreciate the assistance that Douglas has given
> me with that case, but we have been unsuccessful in getting it to work.
> 
> In-fact there are forum posts all over the web, full of people who are
> unable to get Windows clients authenticating against krb5, all that I have
> encountered have been left unanswered.

Well, I did not think Microsoft was this unix unfriendly, so I did some
more searching and last night brought up an MIT 1.7 KDC on u1(ubuntu)
and ran ksetup on dougpc (XP SP3 Pro).

The /etc/hosts and c:/windows\system32\drivers\etc\hosts files where modified
  to add u1.myhome.org

user testuser at MYHOME.ORG and host/dougpc.myhome.org at MYHOME.ORG were added
to the realm. and ksetup /setComputerPassword was usedwith the same password
as used with the kadmin.local:
addprinc -e "arcfour-hmac:normal" host/dougpc.myhome.org at MYHOME.ORG


ksetup show this:
default realm = MYHOME.ORG (external)
MYHOME.ORG:
         kdc = u1.myhome.org
         Realm Flags = 0x0 none
Mapping testuser at MYHOME.ORG to testuser.

The hidden piece of information is in:
http://technet.microsoft.com/en-us/library/cc736890(WS.10).aspx
which says if the mapping is to user guest, it will work.

If user guest could work, why not try adding user testuser to the local
group "guests". Login from the console worked!

The Microsoft "klist tickets" and "klist tgt" did not show any tickets
in the LSA, but did allow login. The profile appears to be set for the testuser
and I could create  a file in the testuser's My Documents.

 From another account, runas /user:testuser at MYHOME.ORG cmd.exe
(with and without /netonly) also work and show tickets.

Not tried:

    Vista or W7. Maybe the LSA does save the tickets.

    PuTTY that use SSPI with the tickets in the LSA.

    Mapping * * I suspect it will work with any users is in the local
     guests group.

    Checking ACLs to see if being in group guests does not open up
    additional security risks.

(I also change the subject of the original message as others on those
forums might find this message.)

> 
> Many thanks for your time,
> Kind Regards
> Tom Medhurst
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list