Establishing and verifying a trust between Unix MIT KDC and Windows Server 2003 AD
N K
nkaluskar at gmail.com
Tue Aug 3 19:04:10 EDT 2010
Hi Ross,
Thank you very much for your prompt response. A number of things that I have
tried so far:
1) Incorrect passphrase for one of the three trust accounts
>> Will look at this
2) Enctype mismatch (by default, a new trust will only support RC4-HMAC)
>> specified the encryption type in the kdc.conf file and used the
"cpw" command to change the password of principals and re-generate the keys
using the specified encryption
3) Client machine cannot resolve the MIT KDCs
>> Have included the mit kdc info in the client machine's krb5.ini
file and updated DNS information with the unix kerberos realm. However,
the netdom tool returns something like:
netdom trust <domain> /Domain:<realm> /verify /kerberos
/verbose
Establishing a session with \\<domaincontroller>
Reading LSA domain policy information
Unable to contact the domain <realm>
Deleting the session with \\<domaincontroller>
The command failed to complete successfully.
4) Duplicate mappings on user accounts in the same AD domain
(do an ldap search on altSecurityIdentities)
>> Will take a look at this
5) You may need to set TLN mappings (referrals) on one side or the other
>> Using the netdom ... /addtln command ?
6) If you have multiple domains, is the realm trust set transitive?
>> Yes, the trust is transitive.
Regards,
Nivedita
On Tue, Aug 3, 2010 at 3:37 PM, Wilper, Ross A <rwilper at stanford.edu> wrote:
> Unfortunately, there are a lot of reasons that this could fail.
>
> 1) Incorrect passphrase for one of the three trust accounts
> 2) Enctype mismatch (by default, a new trust will only support RC4-HMAC)
> 3) Client machine cannot resolve the MIT KDCs
> 4) Duplicate mappings on user accounts in the same AD domain
> (do an ldap search on altSecurityIdentities)
> 5) You may need to set TLN mappings (referrals) on one side or the other
> 6) If you have multiple domains, is the realm trust set transitive?
>
> Probably more. The only times I've had failures were case #1 and #3
>
> Also note that MIT credentials will always fail to logon to RDP when NLA is
> in use.
>
> -Ross
>
> -----Original Message-----
> From: kerberos-bounces at MIT.EDU [mailto:kerberos-bounces at MIT.EDU] On Behalf
> Of N K
> Sent: Tuesday, August 03, 2010 3:19 PM
> To: kerberos at MIT.EDU
> Subject: Establishing and verifying a trust between Unix MIT KDC and
> Windows Server 2003 AD
>
> Hi all,
>
> I followed the steps for a cross-realm setup between the MIT KDC and AD
> according to O'reilly's Definitive Guide book:
>
> - specifying KDC's using ksetup on the participating Windows machines
>
> - creating principals krbtgt/domain at realm and krbtgt/realm at domain in the
> MIT
> KDC
>
> - creating a 2 way trust in the AD
>
> - mapping an AD user to a user in the MIT KDC
>
> However, when I try to logon to the Kerberos realm from a Windows machine
> using the credentials of the MIT KDC user, I get an error that the system
> could not log me on because the username or domain is incorrect.
>
> Has anyone come across a similar problem before?
>
> Thanks much in advance,
>
> Nivedita.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list